Cognito identity pool should not have the classic authentication flow enabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
In Amazon Cognito, there are two different flows for authentication; enhanced and basic. This detection will trigger when a Cognito identity pool is configured to use the basic flow.
Rationale
The basic (also referred to as classic) flow introduces the risk that an adversary could abuse sts:AssumeRoleWithWebIdentity to assume IAM roles with misconfigured role trust policies for the Cognito Identity service. For this reason, it is recommended to use the Enhanced flow, which also offers additional protections.
Disable the basic authflow for your identity pool and update your clients to make use of the enhanced auth flow.
