> For the complete documentation index, see [llms.txt](https://gitbook.cdxiaodong.life/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.cdxiaodong.life/yun-an-quan/aws/amazon-cognito.md).

# Amazon Cognito

## Amazon Cognito 概述

Amazon Cognito 为客户的 Web 和移动应用程序提供身份验证、授权和用户管理。用户可以直接使用用户名和密码登录，或通过第三方（如 Facebook、Amazon、Google、Apple）或通过 SAML 2.0 和 OpenID Connect 的企业身份提供商登录。

Amazon Cognito 的两个主要组件是 `用户池` 和 `身份池`。`用户池` 是为应用程序用户提供注册和登录选项的用户目录。`身份池` 使开发人员能够授予用户访问其他 AWS 服务的权限。

{% embed url="<https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html>" %}

### Amazon Cognito 如何工作？

![](/files/gZTrWO4LLBb28cNXqp46)

1. 用户通过 `用户池` 登录，成功身份验证后接收用户池令牌（JWT 令牌）
2. 应用程序通过 `身份池` 将用户池令牌交换为 AWS 凭证
3. 用户可以使用 AWS 凭证访问其他 AWS 服务，如 Amazon S3 或 DynamoDB

## 安全问题

### 身份池 ID 泄漏

身份池 ID 允许您获取可能具有额外 AWS 权限的临时 AWS 凭证。因此，可能会获得对敏感 AWS 服务的未认证访问。

身份池 ID 可以存储在客户端，例如在 JavaScript 中，或者在响应中返回。

参考资料：

* [Appsecco 博客：利用 Amazon Cognito 中的弱配置](https://blog.appsecco.com/exploiting-weak-configurations-in-amazon-cognito-in-aws-471ce761963)
* [技术分析：攻击 AWS Cognito 错误配置](https://notsosecure.com/hacking-aws-cognito-misconfigurations)

### 错误配置的用户池访问

如果应用程序允许写入内部使用的 AWS 用户池的用户属性，它可以被用来滥用应用程序和池之间的信任关系。换句话说，可以更改属性并颁发应用程序将使用的 JWT 令牌。例如，如果应用程序使用标准化的电子邮件（小写），您可以将电子邮件地址中的一个字母更改为等效的大写字母并接管账户。

参考资料：

* [技术分析：Flickr 账户接管](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/)

## 参考资料

* [白皮书：AWS Cognito 安全的互联网规模分析](https://andresriancho.com/wp-content/uploads/2019/06/whitepaper-internet-scale-analysis-of-aws-cognito-security.pdf)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://gitbook.cdxiaodong.life/yun-an-quan/aws/amazon-cognito.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.