Internet-Scale analysis of AWS Cognito Security
This talk will show the results of an internet-scale analysis of the security of AWS Cognito configurations. During this research it was possible to identify 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB tables and 1500 Lambda functions.
The talk starts with an introduction to the AWS Cognito service and how it can be configured by the developers to give end-users direct access to AWS resources such as S3 and DynamoDB. Access is restricted by IAM policies which are under the developer’s control and, in many cases, do not follow the least privilege principle.
The configuration weakness is first explained step by step for a specific AWS account and Cognito identity pool using a series of demos, the same concepts are then automated to perform an internet-scale analysis of AWS Cognito configurations.
Because Cognito identity pool IDs are UUID4 it was necessary to download thousands of APKs from the Google Play store, decompile them and extract the identifiers. Other sources such as Common Crawl were also used to identify valid identifiers. The tools used to perform these tasks will be made public.
Each Cognito identity pool that was configured with an unauthenticated role was analyzed using an in-depth permission brute-force tool that identifies potential breaches to least privilege principle.
The talk ends with recommendations for developers that want to configure the service in a secure manner, and an analysis of potential reasons for this widespread issue such as poor documentation and examples on AWS site.
Andrés Riancho is an application and cloud security expert that leads the open source w3af project, and provides high-quality security assessment services to companies around the world.
In the research field, he identified new techniques which can be used to escalate privileges in Amazon AWS infrastructures, discovered critical vulnerabilities in IPS appliances, multiple vulnerabilities in web and REST APIs, and contributed with SAP research performed at a former employer.
His main focus is application security, where he developed w3af, a web application attack and audit framework used extensively by security professionals. During the last years his focus has shifted towards AWS and GCP cloud security, performing security assessments to help his client’s secure their cloud infrastructure.
Andrés has spoken and hold trainings at many security conferences around the globe like BlackHat, OWASP USA, SecTor, Ekoparty, T2, and CanSecWest.