I am building a serverless website with AWS Cognito, Lambda, S3 and a dozen more of their services. My HTML/JS in my login page has the cognito pool ID. How safe is this? I know that it is best practise to hide sensitive stuff. But this is not client-server. Its all client if im honest. I do access some sensitive data via a lambda call. But even this call requires some plain-text sensitive inputs like the user ID.
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.3.7.min.js"> </script>
<script>
AWS.config.region = 'XX-XXXX-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'XX-XXXX-1:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX'
});
var lambda = new AWS.Lambda();
</script>
I really dont like the poolID visible. An attacker can copy this and brute force my cognito IDs. Any ideas to hide it?
They are not secret. In fact, the ID token contains the iss claim (property), which is the User Pool ID, and the aud claim, which is the App Client ID.
Amazon Cognito user pools that you create in the AWS Management Console are case insensitive by default.
Security for your apps and usersAmazon Cognito supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.
Using Identity Pools (Federated Identities) Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.
Amazon Cognito Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can enable access for unauthenticated identities.
Use an identity pool when you need to: Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table. Generate temporary AWS credentials for unauthenticated users.
A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
Using the identity pool id to create the client is a requirement, and keeping it client side is very common. It isn't a major risk on it's own, and what there is can be greatly limited with a bit of tinkering on your side.
You can mitigate the risk of exposing the identity pool id via the roles that Cognito creates and links to the pool. Through those, you can scope down the credentials that Cognito will generate for your unauthenticated/authenticated users. This blog post has more on how to do this. You could take that a step further by greatly limiting the privileges of unauthenticated users until they have logged into an authenticated identity.
You can put the Pool and other Cognito IDs in your HTML without much fear (if you've defined the unauthorized policies carefully), but you may want to use API Gateway (with built-in Cognito authorizer) for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:
https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With