By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Limitations on unauthenticated Cognito identities?

0

I'm trying to use an unauthenticated Cognito identity to call ec2.describeInstanceStatus using the JavaScript for web SDK. When I try to call that or the similar ec2.describeInstances, I get an UnauthorizedOperation error and a HTTP 403 forbidden.

I checked the IAM role permissions against the IAM Policy Simulator and the role should have the proper permissions to perform those actions.... I even gave it "AmazonEC2FullAccess (IAM Policy)" and nothing else on a new IAM Role since I was at a loss. I still got UnauthorizedOperation.

... This leads me to my question. Do unauthenticated Cognito identities have limitations on services/calls? I am able to invoke Lambda functions using the same IAM role and using the same basic JavaScript/HTML so I know the unauthenticated identity works for at least some actions.

Thanks for the help!

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
aj177
asked 3 years ago578 views
1 Answer
0

Answer found: From https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies

For additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than the ones listed below for your unauthenticated users. In other words, this policy allows an identity using these credentials with access to only some services (list in link).

EC2 is not in that list.

aj177
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content