Cognito identity pool should not have the classic authentication flow enabled

cognito
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

In Amazon Cognito, there are two different flows for authentication; enhanced and basic. This detection will trigger when a Cognito identity pool is configured to use the basic flow.

Rationale

The basic (also referred to as classic) flow introduces the risk that an adversary could abuse sts:AssumeRoleWithWebIdentity to assume IAM roles with misconfigured role trust policies for the Cognito Identity service. For this reason, it is recommended to use the Enhanced flow, which also offers additional protections.

Remediation

Disable the basic authflow for your identity pool and update your clients to make use of the enhanced auth flow.

PREVIEWING: brett.blue/embedded-collector-release