I have a backend app that provides measurement data through the use of REST API.

Now, I'm creating a frontend app that can visualize and query that data depending on parameters such as city, fromDateTime, tillDateTime, sponsorId etc.

I'd like to assign attributes to specific users that would describe how visualization should look like and what exactly they can query from my REST API. For example, a specific sponsor of measurement devices can only see data from the devices they bought.

However, I'd like them to be able to make their data public. How to do that?

I thought, in that kind of situation, I could make a new user with appropriate attributes and make its credentials public. Then, create a URL with something like /user/{username}/data/ in the path. The username could be randomly generated and the password could be the same to all public users and could be hardcoded into the frontend app.

What do you think about this approach? Is it a good idea? Is it secure? Maybe there's another better way to do that?

Sounds like part of your application is only available to authenticated users and part of it to unauthenticated (public) users.

You are already using Cognito for the authenticated users. Sounds like you've done the hard part of locking that data down to the right users. The question is, why would you involve Cognito at all for your unauthenticated users? Sounds like the right answer would be to put the public data in a location that is publicly accessible in your application.

EDIT: I would not use Cognito to store application data. Whilst your data may relate to a user, it doesn't sound like authentication and authorisation data. More importantly, if you are accessing this data frequently for application purposes, Cognito is not scalable in the same way as something like DynamoDB. If you are still in design phase, I think perhaps you should look at putting this data into a database instead of Cognito.