Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

can someone hack into my s3 with "AWS-cognito-identity-poolID" that is hard-coded?

First i was hardcoded my aws "accessKey" and "securityKey" in client side JS file, but it was very insecure so i read about "aws-cognito", and implemented new JS in following manner :

Still i am confused with one thing that can someone hack into my s3 with "AWS-cognito-identity-poolID" that is hard-coded ? Or any other security steps should i take ?

Thanks,
Jaikey

like image 929
Jay seen Avatar asked Nov 12 '19 06:11

Jay seen


People also ask

What types of identities do Amazon Cognito identity pools support?

With Amazon Cognito identity pools, you can create unique identities and assign permissions for users. Your identity pool can include: Users in an Amazon Cognito user pool. Users who authenticate with external identity providers such as Facebook, Google, Apple, or an OIDC or SAML identity provider.

How does AWS Cognito hash passwords?

Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.

Is Amazon Cognito secure?

Amazon Cognito supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.

Is Cognito identity ID unique?

Amazon Cognito identity pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider.


2 Answers

Yes, s3 bucket is secure if you are using through "AWS-Cognito-Identity-Pool" at client side, also enable CORS which allow action only from specific domain that ensure if someone try direct upload or list bucket, will get "access-denied".

like image 33
Jay seen Avatar answered Oct 28 '22 09:10

Jay seen


Definition of Hack

I am not sure what hacking means in the context of your question.
I assume that you actually mean "that anyone can do something different than uploading a file" which includes deleting or accessing objects inside your bucket.

Your solution

As Ninad already mentioned above, you can use your current approach by enabling "Enable access to unauthenticated identities" [1]. You will then need to create two roles of which one is for "unauthenticated users". You could grant that role PutObject permissions to the S3 bucket. This would allow everyone who visits your page to upload objects to the S3 bucket. I think that is what you intend and it is fine from a security point of view since the IdentityPoolId is a public value (i.e. not confidential).

Another solution

I guess, you do not need to use Amazon Cognito to achieve what you want. It is probably sufficient to add a bucket policy to S3 which grants permission for PutObject to everyone.

Is this secure?

However, I would not recommend to enable direct public write access to your S3 bucket.
If someone would abuse your website by spamming your upload form, you will incure S3 charges for put operations and data storage.

It would be a better approach to send the data through Amazon CloudFront and apply a WAF with rate-based rules [2] or implement a custom rate limiting service in front of your S3 upload. This would ensure that you can react appropriately upon malicious activity.

References

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html
[2] https://aws.amazon.com/about-aws/whats-new/2019/08/lower-threshold-for-aws-waf-rate-based-rules/

like image 87
Martin Löper Avatar answered Oct 28 '22 10:10

Martin Löper