With userpool ID and clientID one can generate secret credentials of the role used in Group. Further from any instance one can install AWS cli, add the secret key access key and get access of your role. Now whatever permission that role have it is with someone else.