AWS Cognito identity pool has guest access configured for a role with administrative privileges

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.


Amazon Cognito identity pools can be configured to offer guest access. Guest access allows unauthenticated users the ability to assume a role in your AWS account to perform various actions. Because any IAM role can be configured for unauthenticated access, guest access introduces the risk that unauthenticated users have more privileges than are intended.


The Cognito identity pool which triggered this detection is configured to support guest access for an IAM role that has administrative privileges. This would allow any external attacker the ability to assume the role and have complete access to the entire AWS account.


Datadog recommends reducing the permissions attached to the guest role to the minimum required for it to fulfill its function. Alternatively, guest access can be disabled on the pool to prevent an external adversary from being able to assume the role.