H3-2022-0076
Unauthenticated AWS Cognito Role Has Non-Standard Permissions
Category | SECURITY_MISCONFIGURATION |
Base Score | 2.6 |
Description
A website utilizing AWS Cognito has non-standard permissions assigned to the unauthenticated role.
Impact
Anyone with access to this page can use the Cognito Pool ID to generate AWS keys for the AWS Cognito unauthenticated role. An attacker could use these AWS keys to potentially read sensitive information or conduct destructive actions, depending on the assigned permissions.