
Summary
Detects AWS CloudTrail data events where an unauthenticated caller successfully obtains temporary AWS credentials via Cognito Identity Pool GetCredentialsForIdentity, after performing GetId (with no login token). This can indicate a pool configured to allow unauthenticated access being abused or misconfigured. The rule is a new_terms rule: it only alerts for identity pools that have not previously issued credentials to an unauthenticated caller within the history window (now-7d) to reduce false positives for legitimate guest access. Matches occur when data_stream.dataset: "aws.cloudtrail", event.provider: "cognito-identity.amazonaws.com", event.action: "GetCredentialsForIdentity", event.outcome: "success", and aws.cloudtrail.user_identity.type: "Unknown". The alert surfaces the identity pool ARN (aws.cloudtrail.resources.arn) and identityId (aws.cloudtrail.request_parameters.identityId) for investigation, along with contextual fields like source IP, user_agent.original, and geo. Remediation guidance includes verifying whether unauthenticated access is intended, tightening the unauthenticated role’s permissions, or disabling AllowUnauthenticatedIdentities if guest access is not required; rotating credentials where applicable; and scanning client-side code for embedded pool IDs.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1552
- T1078
- T1078.004
Created: 2026-07-13