AWS - Cognito Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cognito

For more information, access:

AWS - Cognito Enum

User persistence

Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:

Adding a User Pool controlled by the user to an Identity Pool
Give an IAM role to an unauthenticated Identity Pool and allow Basic auth flow
- Or to an authenticated Identity Pool if the attacker can login
- Or improve the permissions of the given roles
Create, verify & privesc via attributes controlled users or new users in a User Pool
Allowing external Identity Providers to login in a User Pool or in an Identity Pool

Check how to do these actions in

AWS - Cognito Privesc

`cognito-idp:SetRiskConfiguration`

An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user without having alarms being triggered. Check out the cli to check all the options:

aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}

By default this is disabled:

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - API Gateway Persistence NextAWS - DynamoDB Persistence

Last updated 4 months ago