# AWS - Cognito Enum
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking:  (1).png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## Cognito
Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple.
Central to Amazon Cognito are two primary components:
1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**.
2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication.
### **User pools**
To learn what is a **Cognito User Pool check**:
{% content-ref url="cognito-user-pools.md" %}
[cognito-user-pools.md](cognito-user-pools.md)
{% endcontent-ref %}
### **Identity pools**
The learn what is a **Cognito Identity Pool check**:
{% content-ref url="cognito-identity-pools.md" %}
[cognito-identity-pools.md](cognito-identity-pools.md)
{% endcontent-ref %}
## Enumeration
{% code overflow="wrap" %}
```bash
# List Identity Pools
aws cognito-identity list-identity-pools --max-results 60
aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367"
aws cognito-identity list-identities --identity-pool-id --max-results 60
aws cognito-identity get-identity-pool-roles --identity-pool-id
# Identities Datasets
## Get dataset of identity id (inside identity pool)
aws cognito-sync list-datasets --identity-pool-id --identity-id
## Get info of the dataset
aws cognito-sync describe-dataset --identity-pool-id --identity-id --dataset-name
## Get dataset records
aws cognito-sync list-records --identity-pool-id --identity-id --dataset-name
# User Pools
## Get pools
aws cognito-idp list-user-pools --max-results 60
## Get users
aws cognito-idp list-users --user-pool-id
## Get groups
aws cognito-idp list-groups --user-pool-id
## Get users in a group
aws cognito-idp list-users-in-group --user-pool-id --group-name
## List App IDs of a user pool
aws cognito-idp list-user-pool-clients --user-pool-id
## List configured identity providers for a user pool
aws cognito-idp list-identity-providers --user-pool-id
## List user import jobs
aws cognito-idp list-user-import-jobs --user-pool-id --max-results 60
## Get MFA config of a user pool
aws cognito-idp get-user-pool-mfa-config --user-pool-id
## Get risk configuration
aws cognito-idp describe-risk-configuration --user-pool-id
```
{% endcode %}
### Identity Pools - Unauthenticated Enumeration
Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles).
### User Pools - Unauthenticated Enumeration
Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.**
## Privesc
{% content-ref url="../../aws-privilege-escalation/aws-cognito-privesc.md" %}
[aws-cognito-privesc.md](../../aws-privilege-escalation/aws-cognito-privesc.md)
{% endcontent-ref %}
## Unauthenticated Access
{% content-ref url="../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md" %}
[aws-cognito-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md)
{% endcontent-ref %}
## Persistence
{% content-ref url="../../aws-persistence/aws-cognito-persistence.md" %}
[aws-cognito-persistence.md](../../aws-persistence/aws-cognito-persistence.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}