Cognito identity pool should not have the classic authentication flow enabled

Description

In Amazon Cognito, there are two different flows for authentication; enhanced and basic. This detection will trigger when a Cognito identity pool is configured to use the basic flow.

Rationale

The basic (also referred to as classic) flow introduces the risk that an adversary could abuse sts:AssumeRoleWithWebIdentity to assume IAM roles with misconfigured role trust policies for the Cognito Identity service. For this reason, it is recommended to use the Enhanced flow, which also offers additional protections.

Remediation

Disable the basic authflow for your identity pool and update your clients to make use of the enhanced auth flow.

PREVIEWING: mervebolat/span-id-preprocessing