Profile Applicability:

  • Level 1

Description:

Amazon Cognito Identity Pools provide temporary AWS credentials to users so they can access AWS resources. Guest access allows unauthenticated users to access certain resources without any authentication. However, enabling guest access for a Cognito Identity Pool can expose your resources to unauthorized access, making it essential to disable guest access. This SOP ensures that Cognito Identity Pools are configured to require user authentication, preventing anonymous or guest access to sensitive AWS resources.

Rationale:

  • Security: Disabling guest access ensures that only authenticated users, such as those authenticated through Amazon Cognito User Pools or federated identity providers, can obtain AWS credentials and access resources.

  • Compliance: Disabling guest access is aligned with security best practices for preventing unauthorized access to AWS resources, helping to meet compliance requirements like SOC 2, PCI-DSS, and HIPAA.

  • Access Control: Guest access can create security vulnerabilities, especially when sensitive resources are made available to unauthenticated users. Requiring authentication strengthens access control mechanisms.

Impact:

Pros:

  • Improved Security: Prevents unauthenticated users from accessing sensitive AWS resources.

  • Better Access Control: Ensures that only authorized users can interact with AWS services through the Cognito Identity Pool.

  • Compliance: Helps comply with security policies and regulatory requirements regarding authentication and access control.

Cons:

  • User Experience: Users who would have accessed resources without authentication (i.e., as guests) will now be required to authenticate, which may impact user experience, particularly for public-facing applications.

  • Additional Configuration: Requires proper setup of authentication mechanisms, such as Cognito User Pools, social identity providers, or SAML-based identity providers, to ensure authenticated access.

Default Value:

By default, Cognito Identity Pools allow both authenticated and unauthenticated (guest) access unless explicitly configured otherwise.

Pre-requisite:

  • AWS IAM Permissions:

    • cognito-identity:DescribeIdentityPool

    • cognito-identity:UpdateIdentityPool

  • AWS CLI installed and configured.

  • Cognito Identity Pool is set up and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito under Services.

  3. In the Cognito Dashboard, select Federated Identities.

  4. Select the Identity Pool you want to review.

  5. Under the Authentication section, check if guest access (unauthenticated access) is enabled.

    • Ensure that guest access is disabled by turning off the option for unauthenticated users to access the identity pool.

  6. If guest access is enabled, proceed with disabling it by following the steps in the Implementation section.

Using AWS CLI:

  1. To describe the Cognito Identity Pool and check if guest access is enabled, run:

    aws cognito-identity describe-identity-pool --identity-pool-id <identity-pool-id> --query 'IdentityPool.AllowUnauthenticatedIdentities'

  2. If the result is true, it means guest access is enabled. Proceed to disable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Cognito.

  2. In the Cognito Dashboard, select Federated Identities.

  3. Select the Identity Pool you want to modify.

  4. Under the Authentication section, look for the Allow unauthenticated identities setting.

    • Disable this option to prevent guest access.

  5. Save the changes to the Identity Pool.

Using AWS CLI:

  1. To disable guest access in the Cognito Identity Pool, run:

    aws cognito-identity update-identity-pool --identity-pool-id <identity-pool-id> --allow-unauthenticated-identities false

  2. Verify that guest access has been successfully disabled by running:

    aws cognito-identity describe-identity-pool --identity-pool-id <identity-pool-id> --query 'IdentityPool.AllowUnauthenticatedIdentities'

Backout Plan:

Using AWS Console:

  1. If disabling guest access causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Cognito and select the Identity Pool.

  3. In the Authentication Providers section, check the Allow unauthenticated identities checkbox.

  4. Save the changes to re-enable guest access.

Using AWS CLI:

  1. To re-enable guest access, run the following command:

    aws cognito-identity update-identity-pool --identity-pool-id <IDENTITY_POOL_ID> --allow-unauthenticated-identities true --region <REGION>

  2. Verify that guest access has been re-enabled by describing the Identity Pool again:

    aws cognito-identity describe-identity-pool --identity-pool-id <IDENTITY_POOL_ID> --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.