How can organizations mitigate the risk of refresh token abuse?

Organizations should implement refresh token rotation, reduce token lifespans, and monitor for unusual token usage patterns to detect and prevent unauthorized access.

Why is this incident significant?

It highlights a shift in attacker tactics, leveraging legitimate cloud service features to establish persistent, undetected access, necessitating enhanced security measures.

Understanding the 2026 AWS Cognito Refresh Token Abuse Incident

A deep dive into how attackers exploited Amazon Cognito refresh tokens in 2026 and the lessons learned for cloud security.

Published: April 28, 2026

Share this on:

Executive Summary

In March 2026, AWS updated its Threat Technique Catalog to highlight a significant security concern: the abuse of Amazon Cognito refresh tokens. Threat actors have been exploiting long-lived refresh tokens to maintain unauthorized access to AWS environments. By obtaining a valid refresh token—through methods like credential theft or compromised client-side storage—attackers can continuously generate new access and ID tokens without re-authentication, effectively establishing a persistent foothold in the system. This technique allows them to operate undetected, as the legitimate user's session remains unaffected. The default lifespan of these tokens is 30 days, but they can be configured for up to 10 years, amplifying the potential risk. (aws-samples.github.io)

This incident underscores the evolving tactics of cyber adversaries who leverage legitimate cloud service functionalities to evade detection. Organizations must reassess their security postures, particularly concerning token management and monitoring, to mitigate such stealthy persistence mechanisms.

Why This Matters Now

The exploitation of Amazon Cognito refresh tokens represents a shift in attacker strategies, emphasizing the need for organizations to implement robust token management practices and enhance monitoring to detect unauthorized access attempts promptly.

Attack Path Analysis

An attacker exploited a misconfigured Amazon Cognito refresh token to gain initial access, then escalated privileges by modifying IAM role trust policies. They moved laterally by creating additional cloud roles, established command and control through persistent access, exfiltrated sensitive data via unauthorized API calls, and impacted the environment by deregistering critical AMIs to disrupt recovery efforts.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The attacker obtained a valid Amazon Cognito refresh token through credential theft or client-side storage compromise, allowing unauthorized access to the application.

Confidence:

High

MITRE ATT&CK® Techniques

Persistence

T1098.006

Account Manipulation: Cognito Refresh Token Abuse

Impact

T1485.002

Data Destruction: AMI Image Deletion

Persistence

T1098.003

Account Manipulation: Additional Cloud Roles

Defense Evasion

T1556.007

Modify Authentication Process: UpdateAssumeRolePolicy

Persistence

T1525

Implant Internal Image

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Authentication and Access Control

Control ID: 8.3.1

The abuse of Amazon Cognito refresh tokens indicates inadequate access control mechanisms, violating the requirement for secure authentication processes.

NYDFS 23 NYCRR 500 – Access Privileges

Control ID: 500.07

Unauthorized modification of IAM trust policies and roles suggests insufficient management of access privileges, contravening the mandate to limit user access rights.

DORA – ICT Risk Management Framework

Control ID: Article 5

The deletion of critical AMIs without proper safeguards reflects a lack of robust ICT risk management practices, as required under DORA.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The exploitation of long-lived refresh tokens and unauthorized role modifications highlight deficiencies in identity and access management, undermining zero trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incidents demonstrate inadequate implementation of cybersecurity risk management measures, as required to ensure the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

AWS cloud misconfigurations expose banking systems to Cognito token abuse and IAM privilege escalation, threatening HIPAA/PCI compliance and customer data protection.

Health Care / Life Sciences

Healthcare AWS environments face critical risks from AMI deletion attacks and lateral movement, potentially disrupting patient systems and violating HIPAA regulations.

Government Administration

Government cloud infrastructure vulnerable to trust policy manipulation and encrypted traffic threats, compromising Zero Trust security frameworks and citizen data.

Information Technology/IT

IT service providers managing multi-cloud environments face elevated risks from Kubernetes security gaps and egress filtering bypass affecting client infrastructures.

Sources

What the March 2026 Threat Technique Catalog update means for your AWS environmenthttps://aws.amazon.com/blogs/security/what-the-march-2026-threat-technique-catalog-update-means-for-your-aws-environment/
Verified

Cognito Refresh Token Abuse - Threat Technique Catalog for AWS (TTC)https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1098.A006.html

Verified

Amazon Cognito now supports refresh token rotationhttps://aws.amazon.com/about-aws/whats-new/2025/04/amazon-cognito-refresh-token-rotation/

Verified

Frequently Asked Questions

It refers to the exploitation of long-lived refresh tokens by attackers to maintain unauthorized access to AWS environments without re-authentication.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's unauthorized access may have been limited by enforcing strict identity-aware policies, reducing the scope of compromised credentials.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been constrained by enforcing least-privilege access controls, reducing the scope of potential privilege escalation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the environment could have been constrained by monitoring and controlling east-west traffic, reducing the reach of unauthorized actions.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels could have been constrained by providing comprehensive visibility and control over multicloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts could have been constrained by enforcing strict egress policies, reducing unauthorized data transfers.

Impact (Mitigations)

The attacker's ability to disrupt recovery efforts could have been constrained by limiting unauthorized modifications to critical resources, reducing the impact on system restoration.

Impact at a Glance

Affected Business Functions

Identity and Access Management
Disaster Recovery
Infrastructure Management

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential unauthorized access to sensitive user data and critical infrastructure configurations.

Recommended Actions

• Enable refresh token rotation and set minimal token lifetimes to reduce the risk of unauthorized access.
• Monitor IAM role trust policy changes and alert on modifications to detect potential privilege escalation.
• Implement zero trust segmentation to limit lateral movement within the environment.
• Enforce egress security policies to control and monitor outbound traffic, preventing unauthorized data exfiltration.
• Establish AMI retention rules and monitor deregistration events to protect critical recovery assets.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Understanding the 2026 AWS Cognito Refresh Token Abuse Incident

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Account Manipulation: Cognito Refresh Token Abuse

Data Destruction: AMI Image Deletion

Account Manipulation: Additional Cloud Roles

Modify Authentication Process: UpdateAssumeRolePolicy

Implant Internal Image

Potential Compliance Exposure

PCI DSS 4.0 – Secure Authentication and Access Control

NYDFS 23 NYCRR 500 – Access Privileges

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads