AWS Cognito identity pool has guest access configured for a role with administrative privileges

iam
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Amazon Cognito identity pools can be configured to offer guest access. Guest access allows unauthenticated users the ability to assume a role in your AWS account to perform various actions. Because any IAM role can be configured for unauthenticated access, guest access introduces the risk that unauthenticated users have more privileges than are intended.

Rationale

The Cognito identity pool which triggered this detection is configured to support guest access for an IAM role that has administrative privileges. This would allow any external attacker the ability to assume the role and have complete access to the entire AWS account.

Remediation

Datadog recommends reducing the permissions attached to the guest role to the minimum required for it to fulfill its function. Alternatively, guest access can be disabled on the pool to prevent an external adversary from being able to assume the role.