Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito identity reveals access key, secret key and session token as part of response

0

I'm a penetration tester, while testing an web application as part of signing in, https://cognito-identity.ca-central-1.amazonaws.com reveals sensitive information like access key, secret key and session token as part of response, which can be intercepted using proxy tools. Can this lead to unintended access? How to mitigate the same.

Note: Im only aware the identities are federated and use action sts:AssumeRoleWithWebIdentity

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked a year ago716 views
2 Answers
2
Accepted Answer

Hi Lakshmy G,

Please try this solution.

If AWS Cognito is exposing sensitive information such as access keys, secret keys, and session tokens in its responses.

Switch to Secure Server-Side Authentication:

Move Sensitive Operations to Server-Side: Ensure that sensitive operations and credential management are handled server-side. Only send necessary and non-sensitive information to the client.

Use Amazon Cognito Best Practices:

Use Federated Identities Correctly: Ensure that you're using Amazon Cognito federated identities correctly. Avoid directly exposing AWS credentials to the client. Instead, use Cognito to manage temporary credentials securely.

Implement Proper Token Handling:

Limit Token Exposure: Do not expose sensitive tokens directly to the client. Use server-side code to exchange tokens securely and handle AWS operations.

Enable HTTPS for All Communications:

Secure Transmission: Make sure all data exchanged between the client and server is encrypted using HTTPS to prevent interception.

Review IAM Role Policies:

Restrict Permissions: Ensure that the IAM roles assumed by Cognito have minimal permissions necessary for their tasks. Implement the principle of least privilege.

Monitor and Audit:

Enable CloudTrail: Use AWS CloudTrail to monitor and log all API requests and credential usage to detect and respond to any unusual activity.

If you want more information, please go through the Document.

https://dev.to/zenika/how-to-use-aws-cognito-to-access-aws-services-150e

https://stackoverflow.com/questions/47833797/are-the-cognito-user-pool-id-and-client-id-sensitive

https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/

EXPERT
answered a year ago
EXPERT
reviewed a year ago
1

Hi Lakshmy G

Yes, exposing sensitive information like access keys, secret keys, and session tokens can indeed lead to unintended access and pose significant security risks. Attackers could potentially intercept these details using proxy tools and gain unauthorized access to AWS resources.

  • Unauthorized Access: Intercepted credentials can allow attackers to access AWS resources, potentially leading to data breaches or unauthorized modifications.
  • Privilege Escalation: If the intercepted tokens or keys have high privileges, attackers could perform a wide range of malicious actions.
  • Service Disruption: Attackers could disrupt services, delete resources, or cause financial losses by consuming resources.

Inspect Cognito Configuration:

  • Confirm that Cognito is correctly configured to use federated identities and is not inadvertently exposing tokens.

  • Ensure that tokens have appropriate scopes and lifetimes.

  • Regularly Rotate Keys: Implement a key rotation policy to periodically change access keys and secrets, reducing the risk of long-term exposure.

Use Secure Token Service (STS) Practices:

  • Limit the permissions granted via the AssumeRoleWithWebIdentity action to the minimum required.
  • Use conditions in IAM policies to restrict the use of the assumed role to specific resources or actions.

For More follow the link hope it helps:

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content