Ensure Cognito Identity Pool Has Guest Access Disabled

Overview

This check verifies that Amazon Cognito identity pools do not allow guest (unauthenticated) access. When guest access is enabled, anyone can obtain temporary AWS credentials without signing in, which can expose your AWS resources to unauthorized users.

Risk

If guest access is enabled on your identity pool:

• Unauthenticated users receive temporary AWS credentials that may grant access to your resources
• API abuse becomes possible if the unauthenticated role has permissive policies
• Data exposure can occur if credentials allow access to S3 buckets, DynamoDB tables, or other services
• Increased costs from unauthorized resource consumption
• Reduced audit trail since actions are performed by anonymous users

Unless your application specifically requires public, anonymous access, guest access should be disabled.

Remediation Steps

Prerequisites

You need permission to modify Cognito identity pools. This typically requires the cognito-identity:UpdateIdentityPool permission.

AWS Console Method

1. Open the Amazon Cognito console
2. In the left navigation, click Identity pools
3. Select the identity pool you want to modify
4. Click the User access tab
5. Under Guest access, click Edit
6. Toggle off Guest access (or uncheck "Enable access to unauthenticated identities")
7. Click Save changes

Important: Before disabling guest access, ensure your application does not rely on unauthenticated identities. Disabling this setting will break any functionality that depends on guest access.

AWS CLI (optional)

First, retrieve the current identity pool configuration:

aws cognito-identity describe-identity-pool \
  --identity-pool-id <your-identity-pool-id> \
  --region us-east-1

Note the IdentityPoolName from the output. Then update the identity pool to disable guest access:

aws cognito-identity update-identity-pool \
  --identity-pool-id <your-identity-pool-id> \
  --identity-pool-name <your-identity-pool-name> \
  --no-allow-unauthenticated-identities \
  --region us-east-1

Note: The update-identity-pool command requires both --identity-pool-id and --identity-pool-name. If you do not provide other optional parameters, Amazon Cognito will reset them to their default values. To preserve existing settings (like supported login providers), include them in the update command.

Example with additional settings preserved:

aws cognito-identity update-identity-pool \
  --identity-pool-id us-east-1:12345678-1234-1234-1234-123456789012 \
  --identity-pool-name my-identity-pool \
  --no-allow-unauthenticated-identities \
  --supported-login-providers "accounts.google.com=123456789.apps.googleusercontent.com" \
  --region us-east-1

CloudFormation (optional)

To create or update an identity pool with guest access disabled, use this template:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito Identity Pool with guest access disabled

Parameters:
  IdentityPoolName:
    Type: String
    Description: Name for the Cognito Identity Pool
    Default: my-identity-pool

Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: !Ref IdentityPoolName
      AllowUnauthenticatedIdentities: false

Outputs:
  IdentityPoolId:
    Description: The ID of the identity pool
    Value: !Ref IdentityPool

Deploy the template:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name cognito-identity-pool-secure \
  --parameter-overrides IdentityPoolName=my-secure-pool \
  --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_cognito_identity_pool" "example" {
  identity_pool_name               = "my-identity-pool"
  allow_unauthenticated_identities = false

  # Optional: Add authenticated identity providers
  # cognito_identity_providers {
  #   client_id               = aws_cognito_user_pool_client.example.id
  #   provider_name           = aws_cognito_user_pool.example.endpoint
  #   server_side_token_check = false
  # }
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Verification

After making changes, verify that guest access is disabled:

1. Return to the identity pool in the Amazon Cognito console
2. Check the User access tab
3. Confirm that Guest access shows as disabled

CLI verification

aws cognito-identity describe-identity-pool \
  --identity-pool-id <your-identity-pool-id> \
  --region us-east-1 \
  --query 'AllowUnauthenticatedIdentities'

The output should be false.

Additional Resources

• Amazon Cognito Identity Pools Developer Guide
• Identity Pool Authentication Flow
• IAM Roles for Identity Pools

Notes

• Application impact: If your application currently uses guest access, disabling it will cause authentication failures for anonymous users. Review your application code before making this change.
• If guest access is required: Some use cases legitimately need unauthenticated access (e.g., public file downloads, anonymous analytics). In these cases:
  • Apply the principle of least privilege to the unauthenticated IAM role
  • Shorten session durations
  • Implement rate limiting and monitoring
  • Consider whether authenticated flows could work instead
• Related checks: Also review the IAM role assigned to unauthenticated identities to ensure it follows least privilege principles.