|
Account Manipulation: Cognito Refresh Token Abuse
AWS Specific Sub-Technique
Other sub-techniques of Account Manipulation (7)
| ID | Name |
|---|---|
| T1098.A001 | AWS Support Case Closure |
| T1098.001 | Additional Cloud Credentials |
| T1098.003 | Additional Cloud Roles |
| T1098.A006 | Cognito Refresh Token Abuse |
A prerequisite for this technique is that a threat actor has already gained initial access into an environment and control of a valid Amazon Cognito refresh token, typically through credential theft, elevated permissions, or compromise of client-side storage.
With access to a valid Amazon Cognito refresh token, threat actors can maintain persistent access to an application by continuously obtaining new ID and access tokens without re-entering credentials. Amazon Cognito refresh tokens are long-lived credentials (default 30 days, configurable from 60 minutes to 10 years) that allow users to obtain new authentication tokens. When a threat actor possesses a valid refresh token, they can call the
With access to a valid Amazon Cognito refresh token, threat actors can maintain persistent access to an application by continuously obtaining new ID and access tokens without re-entering credentials. Amazon Cognito refresh tokens are long-lived credentials (default 30 days, configurable from 60 minutes to 10 years) that allow users to obtain new authentication tokens. When a threat actor possesses a valid refresh token, they can call the
cognito-idp:GetTokensFromRefreshToken API to generate fresh ID and access tokens, effectively maintaining unauthorized access to the application and its resources even after the original access tokens have expired. Unlike short-lived access tokens that expire within minutes or hours, refresh tokens provide an extended window of opportunity for threat actors to maintain persistence. This is particularly concerning in environments where refresh token rotation is not enabled, as the same refresh token can be reused indefinitely within its validity period.Detection
When this technique is used by the threat actor, actions taken will be logged in CloudTrail. The
A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. Ensure that application logging is configured to log events such as refresh attempts, success events, failure events, and user identifiers (note: avoid logging the refresh token itself).
It is also possible to create CloudWatch metric filters to monitor for anomalous patterns in
cognito-idp:GetTokensFromRefreshToken API call issues a new ID, access, and optionally additional refresh tokens. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in your AWS Region. Each CloudTrail event will include details such as the source IP address, user agent, timestamp, and the client ID.A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. Ensure that application logging is configured to log events such as refresh attempts, success events, failure events, and user identifiers (note: avoid logging the refresh token itself).
It is also possible to create CloudWatch metric filters to monitor for anomalous patterns in
GetTokensFromRefreshToken API usage, such as many concurrent sessions from different IP addresses using the same refresh token, or abnormally frequent calls to refresh tokens. You can configure alerts when unusual patterns are detected.Mitigation
Enable refresh token rotation to automatically replace existing refresh tokens with new ones at regular intervals, which can strengthen your application's security posture. Manage token lifetime durations by setting refresh token expiration to the minimum duration necessary for your application's user experience requirements.
If using unauthenticated users (anonymous or "guest" access), enforce the principle of least privilege and use enhanced authentication flow to manage the logic of IAM role selection. If there is not a use case for unauthenticated users, it is recommended to disable unauthenticated users.
You can use Amazon CloudWatch alarms and EventBridge rules to detect anomalous patterns in
If using unauthenticated users (anonymous or "guest" access), enforce the principle of least privilege and use enhanced authentication flow to manage the logic of IAM role selection. If there is not a use case for unauthenticated users, it is recommended to disable unauthenticated users.
You can use Amazon CloudWatch alarms and EventBridge rules to detect anomalous patterns in
GetTokensFromRefreshToken API usage, such as requests from new geographic regions or unusual request frequencies, and configure automated remediation workflows to respond to detected threats.