Control: 2 Cognito identity pools should not allow unauthenticated identities
Description
This control checks whether an Amazon Cognito identity pool is configured to allow unauthenticated identities. The control fails if guest access is activated (the AllowUnauthenticatedIdentities parameter is set to true) for the identity pool.
If an Amazon Cognito identity pool allows unauthenticated identities, the identity pool provides temporary AWS credentials to users who haven't authenticated through an identity provider (guests). This creates security risks because it allows anonymous access to AWS resources. If you deactivate guest access, you can help ensure that only properly authenticated users can access your AWS resources, which reduces the risk of unauthorized access and potential security breaches. As a best practice, an identity pool should require authentication through supported identity providers. If unauthenticated access is necessary, it's important to carefully restrict permissions for unauthenticated identities, and regularly review and monitor their usage.
Remediation
For information about deactivating guest access for an Amazon Cognito identity pool, see Activate or deactivate guest access in the Amazon Cognito Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_cognito_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_cognito_2 --share
SQL
This control uses a named query:
select identity_pool_id as resource, case when not allow_unauthenticated_identities then 'ok' else 'alarm' end as status, case when not allow_unauthenticated_identities then title || ' restrict unauthenticated identities.' else title || ' allow unauthenticated identities.' end as reason , region, account_idfrom aws_cognito_identity_pool;