{% hint style="success" %}
Learn & practice AWS Hacking:.png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: .png)
HackTricks Training GCP Red Team Expert (GRTE).png)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Amazon Cognito is utilized for authentication, authorization, and user management in web and mobile applications. It allows users the flexibility to sign in either directly using a user name and password or indirectly through a third party, including Facebook, Amazon, Google, or Apple.
Central to Amazon Cognito are two primary components:
- User Pools: These are directories designed for your app users, offering sign-up and sign-in functionalities.
- Identity Pools: These pools are instrumental in authorizing users to access different AWS services. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
To learn what is a Cognito User Pool check:
{% content-ref url="cognito-user-pools.md" %} cognito-user-pools.md {% endcontent-ref %}
The learn what is a Cognito Identity Pool check:
{% content-ref url="cognito-identity-pools.md" %} cognito-identity-pools.md {% endcontent-ref %}
{% code overflow="wrap" %}
# List Identity Pools
aws cognito-identity list-identity-pools --max-results 60
aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
aws cognito-identity list-identities --identity-pool-id <ident-pool-id> --max-results 60
aws cognito-identity get-identity-pool-roles --identity-pool-id <ident-pool-id>
# Identities Datasets
## Get dataset of identity id (inside identity pool)
aws cognito-sync list-datasets --identity-pool-id <ident-pool-id> --identity-id <ident-id>
## Get info of the dataset
aws cognito-sync describe-dataset --identity-pool-id <value> --identity-id <value> --dataset-name <value>
## Get dataset records
aws cognito-sync list-records --identity-pool-id <value> --identity-id <value> --dataset-name <value>
# User Pools
## Get pools
aws cognito-idp list-user-pools --max-results 60
## Get users
aws cognito-idp list-users --user-pool-id <user-pool-id>
## Get groups
aws cognito-idp list-groups --user-pool-id <user-pool-id>
## Get users in a group
aws cognito-idp list-users-in-group --user-pool-id <user-pool-id> --group-name <group-name>
## List App IDs of a user pool
aws cognito-idp list-user-pool-clients --user-pool-id <user-pool-id>
## List configured identity providers for a user pool
aws cognito-idp list-identity-providers --user-pool-id <user-pool-id>
## List user import jobs
aws cognito-idp list-user-import-jobs --user-pool-id <user-pool-id> --max-results 60
## Get MFA config of a user pool
aws cognito-idp get-user-pool-mfa-config --user-pool-id <user-pool-id>
## Get risk configuration
aws cognito-idp describe-risk-configuration --user-pool-id <user-pool-id>{% endcode %}
Just knowing the Identity Pool ID you might be able get credentials of the role associated to unauthenticated users (if any). Check how here.
Even if you don't know a valid username inside Cognito, you might be able to enumerate valid usernames, BF the passwords of even register a new user just knowing the App client ID (which is usually found in source code). Check how here.
{% content-ref url="../../aws-privilege-escalation/aws-cognito-privesc.md" %} aws-cognito-privesc.md {% endcontent-ref %}
{% content-ref url="../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md" %} aws-cognito-unauthenticated-enum.md {% endcontent-ref %}
{% content-ref url="../../aws-persistence/aws-cognito-persistence.md" %} aws-cognito-persistence.md {% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.