Cognito, Ergo Some Extra Permissions
Leo Tsaousis
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In his Cloud Village talk, "Cognito, Ergo Some Extra Permissions," Leo Tsaousis, a Senior Security Consultant at Reverse, unveiled a critical vulnerability within AWS CloudWatch Dashboards that, under specific circumstances, allowed unauthenticated users to gain unauthorized access to AWS account resources. The talk highlights a fundamental principle often overlooked: security monitoring solutions themselves can inadvertently introduce significant security risks. Tsaousis meticulously details how a combination of a "fail-open" logic bug in AWS Cognito Identity Pools and an oversight in how CloudWatch configured these pools led to the exposure of sensitive information, such as EC2 instance tags, and potentially even granted permissions to invoke Lambda functions.
AI review
Genuine original research with a clear chain of reasoning from scanner alert to unauthenticated role assumption — exactly the kind of cloud security work that deserves a stage slot. The finding is specific, the root cause is well-understood (fail-open default in allowClassicFlow), and the exploitation path is reproducible. Doesn't fully clear the 5-star bar because the blast radius is ultimately constrained: it requires a publicly shared dashboard and the worst-case impact is denial-of-wallet rather than account takeover.