Migrate to using mdbook

src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md

@@ -0,0 +1,42 @@
+# AWS - Cognito Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cognito
+
+For more information, access:
+
+{{#ref}}
+../aws-services/aws-cognito-enum/
+{{#endref}}
+
+### User persistence
+
+Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like:
+
+- **Adding a User Pool** controlled by the user to an Identity Pool
+- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow**
+  - Or to an **authenticated Identity Pool** if the attacker can login
+  - Or **improve the permissions** of the given roles
+- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool**
+- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool
+
+Check how to do these actions in
+
+{{#ref}}
+../aws-privilege-escalation/aws-cognito-privesc.md
+{{#endref}}
+
+### `cognito-idp:SetRiskConfiguration`
+
+An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options:
+
+```bash
+aws cognito-idp set-risk-configuration --user-pool-id <pool-id> --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION}
+```
+
+By default this is disabled:
+
+<figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>
+
+{{#include ../../../banners/hacktricks-training.md}}