Internet Scale Analysis of AWS Cognito Security

Explore the results of an internet-scale analysis of AWS Cognito security configurations in this 57-minute conference talk from BruCON 0x0B. Delve into the identification of 2500 identity pools, which granted access to over 13000 S3 buckets, 1200 DynamoDB tables, and 1500 Lambda functions. Begin with an introduction to AWS Cognito and its configuration options for granting end-users direct access to AWS resources. Examine a step-by-step explanation of configuration weaknesses using specific demos, followed by an automated approach for large-scale analysis. Learn about the challenges of identifying Cognito identity pool IDs, including the process of downloading and decompiling thousands of APKs from the Google Play store. Discover the in-depth permission brute-force tool used to analyze unauthenticated roles and identify potential breaches of the least privilege principle. Gain valuable recommendations for secure service configuration and insights into the reasons behind widespread security issues, including poor documentation and examples on the AWS site.

Intro
Full AWS account compromise
Privilege escalation
What Is Amazon Cognito?
Amazon Cognito use case
Create new identity pool
Assign IAM roles to identities
IAM policy example
Internet Scale analysis
Challenge #1: Identity Pool UUID4
Google only indexes text
Other (boring) sources
Challenge #2: Enumerate permissions
Enumerate permissions and avoid jail time
Enumerate permissions / Performance
Privileges and roles
Identity pool sources
Usable identity pools
Insecure configurations
Lambda function environment variables
Insecure by default documentation
Restrictions on Unauthenticated Cognito roles
Developer can shoot himself in the foot
Least privilege principle and more...
Hard-coded credentials
Key takeaways