AWS - Cognito Persistence

Cognito

For more information, access:

{{#ref}}
../../aws-services/aws-cognito-enum/
{{#endref}}

User persistence

Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:

Adding a User Pool controlled by the user to an Identity Pool
Give an IAM role to an unauthenticated Identity Pool and allow Basic auth flow
Or to an authenticated Identity Pool if the attacker can login
Or improve the permissions of the given roles
Create, verify & privesc via attributes controlled users or new users in a User Pool
Allowing external Identity Providers to login in a User Pool or in an Identity Pool

Check how to do these actions in

{{#ref}}
../../aws-privilege-escalation/aws-cognito-privesc/README.md
{{#endref}}

`cognito-idp:SetRiskConfiguration`

An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user without having alarms being triggered. Check out the cli to check all the options:

aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}

By default this is disabled: