Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to show the AWS cognito pool ID in my html?

I am building a serverless website with AWS Cognito, Lambda, S3 and a dozen more of their services. My HTML/JS in my login page has the cognito pool ID. How safe is this? I know that it is best practise to hide sensitive stuff. But this is not client-server. Its all client if im honest. I do access some sensitive data via a lambda call. But even this call requires some plain-text sensitive inputs like the user ID.

    <script src="https://sdk.amazonaws.com/js/aws-sdk-2.3.7.min.js">   </script>
    <script>
    AWS.config.region = 'XX-XXXX-1';
    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'XX-XXXX-1:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX'
    });
    var lambda = new AWS.Lambda();
    </script>

I really dont like the poolID visible. An attacker can copy this and brute force my cognito IDs. Any ideas to hide it?

like image 538
Mithun Kalan Avatar asked Oct 03 '16 17:10

Mithun Kalan


People also ask

Is Cognito pool ID secret?

They are not secret. In fact, the ID token contains the iss claim (property), which is the User Pool ID, and the aud claim, which is the App Client ID.

Is Cognito user pool ID sensitive?

Amazon Cognito user pools that you create in the AWS Management Console are case insensitive by default.

Is AWS Cognito safe?

Security for your apps and usersAmazon Cognito supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOC, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, and ISO 9001 compliant.

What is a Cognito pool AWS?

Using Identity Pools (Federated Identities) Amazon Cognito identity pools provide temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.

How do Amazon Cognito identity pools support unauthenticated identities?

Amazon Cognito Identity Pools can support unauthenticated identities by providing a unique identifier and AWS credentials for users who do not authenticate with an identity provider. If your application allows users who do not log in, you can enable access for unauthenticated identities.

When should I use an AWS Identity pool?

Use an identity pool when you need to: Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table. Generate temporary AWS credentials for unauthenticated users.

What is a user pool in Cognito?

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.


2 Answers

Using the identity pool id to create the client is a requirement, and keeping it client side is very common. It isn't a major risk on it's own, and what there is can be greatly limited with a bit of tinkering on your side.

You can mitigate the risk of exposing the identity pool id via the roles that Cognito creates and links to the pool. Through those, you can scope down the credentials that Cognito will generate for your unauthenticated/authenticated users. This blog post has more on how to do this. You could take that a step further by greatly limiting the privileges of unauthenticated users until they have logged into an authenticated identity.

like image 61
Jeff Bailey Avatar answered Sep 19 '22 03:09

Jeff Bailey


You can put the Pool and other Cognito IDs in your HTML without much fear (if you've defined the unauthorized policies carefully), but you may want to use API Gateway (with built-in Cognito authorizer) for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:

https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/

like image 34
Jim Howard Avatar answered Sep 22 '22 03:09

Jim Howard