AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-07-16 · Security-related medium

File: securityhub/latest/userguide/cognito-controls.md

Summary

Added new control [Cognito.2] to check for unauthenticated identities in Cognito identity pools

Security assessment

The change introduces a security control that explicitly addresses the risk of unauthorized access by checking for unauthenticated identities in Cognito identity pools. The documentation warns about security risks and provides remediation guidance, directly addressing a security vulnerability.

Diff

diff --git a/securityhub/latest/userguide/cognito-controls.md b/securityhub/latest/userguide/cognito-controls.md
index d9e1ab87f..07b0db298 100644
--- a//securityhub/latest/userguide/cognito-controls.md
+++ b//securityhub/latest/userguide/cognito-controls.md
@@ -5 +5 @@
-[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication
+[Cognito.1] Cognito user pools should have threat protection activated with full function enforcement mode for standard authentication[Cognito.2] Cognito identity pools should not allow unauthenticated identities
@@ -9 +9 @@
-This AWS Security Hub control evaluates the Amazon Cognito service and resources. The control might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the Amazon Cognito service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -36,0 +37,22 @@ For information about activating threat protection for an Amazon Cognito user po
+## [Cognito.2] Cognito identity pools should not allow unauthenticated identities
+
+**Category:** Protect > Secure access management > Passwordless authentication
+
+**Severity:** Medium
+
+**Resource type:** `AWS::Cognito::IdentityPool`
+
+**AWS Config rule:** [cognito-identity-pool-unauth-access-check](https://docs.aws.amazon.com/config/latest/developerguide/cognito-identity-pool-unauth-access-check.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** None
+
+This control checks whether an Amazon Cognito identity pool is configured to allow unauthenticated identities. The control fails if guest access is activated (the `AllowUnauthenticatedIdentities` parameter is set to `true`) for the identity pool.
+
+If an Amazon Cognito identity pool allows unauthenticated identities, the identity pool provides temporary AWS credentials to users who haven't authenticated through an identity provider (guests). This creates security risks because it allows anonymous access to AWS resources. If you deactivate guest access, you can help ensure that only properly authenticated users can access your AWS resources, which reduces the risk of unauthorized access and potential security breaches. As a best practice, an identity pool should require authentication through supported identity providers. If unauthenticated access is necessary, it's important to carefully restrict permissions for unauthenticated identities, and regularly review and monitor their usage.
+
+### Remediation
+
+For information about deactivating guest access for an Amazon Cognito identity pool, see [Activate or deactivate guest access](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html#enable-or-disable-unauthenticated-identities) in the _Amazon Cognito Developer Guide_.
+