Cognito identity pool should not have the classic authentication flow enabled

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

In Amazon Cognito, there are two different flows for authentication; enhanced and basic. This detection will trigger when a Cognito identity pool is configured to use the basic flow.

Rationale

The basic (also referred to as classic) flow introduces the risk that an adversary could abuse sts:AssumeRoleWithWebIdentity to assume IAM roles with misconfigured role trust policies for the Cognito Identity service. For this reason, it is recommended to use the Enhanced flow, which also offers additional protections.

Remediation

Disable the basic authflow for your identity pool and update your clients to make use of the enhanced auth flow.