π‘οΈ AWS Cognito Identity Pool allows unauthenticated identitiesπ’
- Contextual name: π‘οΈ Identity Pool allows unauthenticated identitiesπ’
- ID:
/ce/ca/aws/cognito/identity-pool-unauthenticated-identities - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
Descriptionβ
Descriptionβ
This policy identifies Amazon Cognito identity pools that allow unauthenticated identities.
Rationaleβ
When unauthenticated identities are enabled, Amazon Cognito can issue temporary AWS credentials to guest users without requiring sign-in through a trusted identity provider. This expands the attack surface and can expose downstream AWS resources if the unauthenticated role is broader than intended or if the application relies on guest sessions more widely than expected.
Even when guest access is used for low-friction onboarding or public-facing features, it weakens identity assurance and reduces accountability for actions performed with the issued credentials. Disabling unauthenticated identities by default helps enforce authenticated access paths and keeps IAM permissions aligned with known, trusted users.
Auditβ
This policy flags a Cognito Identity Pool as
INCOMPLIANTwhenAllow Unauthenticated Identitiesis set to true.
Remediationβ
Remediationβ
Disable Unauthenticated Identitiesβ
Disable guest access for the identity pool after confirming that any application flows using unauthenticated sessions are no longer required:
From Command Lineβ
aws cognito-identity update-identity-pool \
--identity-pool-id {{identity-pool-id}} \
--identity-pool-name {{identity-pool-name}} \
--no-allow-unauthenticated-identitiesAfter the change, review the application and associated IAM role mappings to ensure that only authenticated identities retain access to AWS resources through the identity pool.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Foundational Security Best Practices v1.0.0 β πΌ [Cognito.2] Cognito identity pools should not allow unauthenticated identities | 1 | no data | |||
| πΌ Cloudaware Framework β πΌ Secure Access | 56 | no data |