AWS Cognito identity pool has guest access configured for a role with administrative privileges

Description

Amazon Cognito identity pools can be configured to offer guest access. Guest access allows unauthenticated users the ability to assume a role in your AWS account to perform various actions. Because any IAM role can be configured for unauthenticated access, guest access introduces the risk that unauthenticated users have more privileges than are intended.

Rationale

The Cognito identity pool which triggered this detection is configured to support guest access for an IAM role that has administrative privileges. This would allow any external attacker the ability to assume the role and have complete access to the entire AWS account.

Remediation

Datadog recommends reducing the permissions attached to the guest role to the minimum required for it to fulfill its function. Alternatively, guest access can be disabled on the pool to prevent an external adversary from being able to assume the role.