Cognito identity pool should not have the classic authentication flow enabled

문서 > Datadog 보안 > OOTB Rules > Cognito identity pool should not have the classic authentication flow enabled

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

In Amazon Cognito, there are two different flows for authentication; enhanced and basic. This detection will trigger when a Cognito identity pool is configured to use the basic flow.

Rationale

The basic (also referred to as classic) flow introduces the risk that an adversary could abuse sts:AssumeRoleWithWebIdentity to assume IAM roles with misconfigured role trust policies for the Cognito Identity service. For this reason, it is recommended to use the Enhanced flow, which also offers additional protections.

Remediation

Disable the basic authflow for your identity pool and update your clients to make use of the enhanced auth flow.