HackTricks CloudAWS - Cognito Persistence
Reading time: 2 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Cognito
For more information, access:
User persistence
Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
- Adding a User Pool controlled by the user to an Identity Pool
- Give an IAM role to an unauthenticated Identity Pool and allow Basic auth flow
- Or to an authenticated Identity Pool if the attacker can login
- Or improve the permissions of the given roles
- Create, verify & privesc via attributes controlled users or new users in a User Pool
- Allowing external Identity Providers to login in a User Pool or in an Identity Pool
Check how to do these actions in
cognito-idp:SetRiskConfiguration
An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user without having alarms being triggered. Check out the cli to check all the options:
aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
By default this is disabled:
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.