AWS Cognito identity pool has guest access configured for a role with administrative privileges

iam
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Amazon Cognito identity pools can be configured to offer guest access. Guest access allows unauthenticated users the ability to assume a role in your AWS account to perform various actions. Because any IAM role can be configured for unauthenticated access, guest access introduces the risk that unauthenticated users have more privileges than are intended.

Rationale

The Cognito identity pool which triggered this detection is configured to support guest access for an IAM role that has administrative privileges. This would allow any external attacker the ability to assume the role and have complete access to the entire AWS account.

Remediation

Datadog recommends reducing the permissions attached to the guest role to the minimum required for it to fulfill its function. Alternatively, guest access can be disabled on the pool to prevent an external adversary from being able to assume the role.

PREVIEWING: drodriguezhdez/add_public_docs_log_summarization