Threat Actors Exploit AWS Cognito Refresh Tokens for Persistent Access

Severity: High (Score: 69.0)

Sources: aws-samples.github.io, Aws.Amazon

Summary

In April 2026, AWS reported that threat actors are exploiting Amazon Cognito refresh tokens to maintain unauthorized access to applications. These tokens, which can be valid for up to 10 years, allow attackers to generate new access tokens without re-authenticating. The initial access is typically gained through credential theft or compromised client-side storage. This method enables attackers to remain undetected while continuing to access resources even after the original access tokens expire. The AWS Cyber Incident Response Team (CIRT) noted that environments without refresh token rotation are particularly vulnerable, as the same token can be reused indefinitely. Additionally, threat actors have been observed deregistering Amazon Machine Images (AMIs) to hinder recovery efforts. The updates to the Threat Technique Catalog (TTC) include new methods for detecting these activities and recommendations for mitigation. Key Points: • Threat actors exploit long-lived Amazon Cognito refresh tokens for persistent access. • Initial access is often gained through credential theft or compromised storage. • AWS recommends enabling refresh token rotation to mitigate this risk.

Key Entities

• Data Destruction (attack_type)
• CWE-269 - Improper Privilege Management (cwe)
• CWE-287 - Improper Authentication (cwe)
• T1098.003 - Additional Cloud Roles (mitre_attack)
• T1098 - Account Manipulation (mitre_attack)
• T1485 - Data Destruction (mitre_attack)
• Amazon Cognito (platform)
• Office 365 (platform)
• AWS (company)