Skip to content
Ask AI about this
Help improve this page

Cognito identity pools should not allow unauthenticated identities

An identity pool with unauthenticated access enabled hands out temporary AWS credentials to anyone who asks. Even scoped to a minimal IAM role, those credentials give anonymous callers a foothold in your AWS account. A misconfigured unauthenticated role can escalate this from a nuisance to a data breach.

Disabling guest access forces every caller to authenticate through a configured identity provider before receiving credentials, tying all API activity to a verifiable identity.

Retrofit consideration

Existing applications may rely on unauthenticated identity pool access for guest features like anonymous file uploads or public API calls. Disabling guest access will break those workflows until you add a proper authentication flow or move the functionality behind an alternative service such as API Gateway with IAM authorization.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_cognito_identity_pool.

resource "aws_cognito_identity_pool" "this" {
  identity_pool_name = "pofix-abc123"

  allow_unauthenticated_identities = false
}

What this control checks

The control checks the aws_cognito_identity_pool resource for allow_unauthenticated_identities. The argument must be false or omitted (false is the default). Explicitly setting it to true fails the control. No other arguments on the identity pool resource affect this check. When false, the identity pool rejects GetOpenIdToken and GetCredentialsForIdentity calls for unauthenticated identities, so every consumer must present a valid token from a configured identity provider (Cognito User Pool, SAML, OIDC, or social provider) before receiving temporary AWS credentials.

Common pitfalls

  • Default is safe but explicit overrides break compliance

    allow_unauthenticated_identities defaults to false in the aws_cognito_identity_pool resource, but many tutorials and quick-start templates set it to true for demo purposes. Copy-pasting those configurations into production modules will trigger a failure.

  • Unauthenticated role still created by dependent resources

    You can still attach an unauthenticated IAM role via aws_cognito_identity_pool_roles_attachment with a roles map containing an unauthenticated key, even when allow_unauthenticated_identities is false. The role attachment alone won't fail the control, but toggling guest access back on later silently activates it. Remove the unauthenticated role mapping entirely to avoid the confusion.

  • Enhanced auth flow does not override this setting

    Setting allow_classic_flow to false enables the enhanced (simplified) authentication flow but has no effect on guest access. allow_unauthenticated_identities must be set to false independently.

Audit evidence

An auditor expects AWS Config rule evaluation results showing each AWS::Cognito::IdentityPool resource as COMPLIANT, confirming AllowUnauthenticatedIdentities is false. Supporting evidence includes a Cognito console screenshot showing the "Enable access to unauthenticated identities" checkbox unchecked, or the output of aws cognito-identity describe-identity-pool --identity-pool-id <id> returning "AllowUnauthenticatedIdentities": false.

CloudTrail logs for CreateIdentityPool and UpdateIdentityPool calls can show that guest access was never re-enabled after the control was enforced. AWS Security Hub findings or CSPM scan reports add confidence in ongoing compliance.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: cognito_identity_pools_restrict_unauthenticated_identities

  • AWS Config Managed Rules: COGNITO_IDENTITY_POOL_UNAUTHENTICATED_LOGINS, COGNITO_IDENTITY_POOL_UNAUTH_ACCESS_CHECK

  • Checkov Check: CKV_AWS_366

  • Powerpipe Control: aws_compliance.control.cognito_identity_pools_restrict_unauthenticated_identities

  • Prowler Checks: cognito_identity_pool_guest_access_disabled, cognito_user_pool_blocks_compromised_credentials_sign_in_attempts

  • AWS Security Hub Control: Cognito.2

Last reviewed: 2026-03-09