heroui logo

AWS Cognito Unauthenticated Identity Pool Credentials Issued

Elastic Detection Rules

View Source
Summary
Detects AWS CloudTrail data events where an unauthenticated caller successfully obtains temporary AWS credentials via Cognito Identity Pool GetCredentialsForIdentity, after performing GetId (with no login token). This can indicate a pool configured to allow unauthenticated access being abused or misconfigured. The rule is a new_terms rule: it only alerts for identity pools that have not previously issued credentials to an unauthenticated caller within the history window (now-7d) to reduce false positives for legitimate guest access. Matches occur when data_stream.dataset: "aws.cloudtrail", event.provider: "cognito-identity.amazonaws.com", event.action: "GetCredentialsForIdentity", event.outcome: "success", and aws.cloudtrail.user_identity.type: "Unknown". The alert surfaces the identity pool ARN (aws.cloudtrail.resources.arn) and identityId (aws.cloudtrail.request_parameters.identityId) for investigation, along with contextual fields like source IP, user_agent.original, and geo. Remediation guidance includes verifying whether unauthenticated access is intended, tightening the unauthenticated role’s permissions, or disabling AllowUnauthenticatedIdentities if guest access is not required; rotating credentials where applicable; and scanning client-side code for embedded pool IDs.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1552
  • T1078
  • T1078.004
Created: 2026-07-13