Skip to content

Latest commit

 

History

History
70 lines (47 loc) · 4.18 KB

aws-cognito-persistence.md

File metadata and controls

70 lines (47 loc) · 4.18 KB
Raw

AWS - Cognito Persistence

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Cognito

For more information, access:

{% content-ref url="../aws-services/aws-cognito-enum/" %} aws-cognito-enum {% endcontent-ref %}

User persistence

Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:

  • Adding a User Pool controlled by the user to an Identity Pool
  • Give an IAM role to an unauthenticated Identity Pool and allow Basic auth flow
    • Or to an authenticated Identity Pool if the attacker can login
    • Or improve the permissions of the given roles
  • Create, verify & privesc via attributes controlled users or new users in a User Pool
  • Allowing external Identity Providers to login in a User Pool or in an Identity Pool

Check how to do these actions in

{% content-ref url="../aws-privilege-escalation/aws-cognito-privesc.md" %} aws-cognito-privesc.md {% endcontent-ref %}

cognito-idp:SetRiskConfiguration

An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user without having alarms being triggered. Check out the cli to check all the options:

{% code overflow="wrap" %}

aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}

{% endcode %}

By default this is disabled:

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}