I'm using the client-side Cognito Javascript SDK. Part of the setup requires configuring region, UserPoolId, ClientId, and identityPoolId
. During testing, I'm including the data via a separate file that users could look through and use to discover these Cognito ids.
Is it safe to expose these ids to the end user?
Otherwise, how do I do this safely?
There's a post by AWS on their forums that addresses this.
Please note that with userPoolId and clientId, only unauthenticated APIs can be called, for eg: SignUp, authenticate, forgotPassword etc. So userPoolId and clientId alone are not enough to do any malicious activity on your user pool.
Source is https://forums.aws.amazon.com/thread.jspa?threadID=245752&tstart=200
An alternative is to use API Gateway with the Cognito authorizer for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:
https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/
If you are using authenticated identities (when you use Cognito User Pools, then it is authenticated identities), then even if the an attacker gets hold of identityId, they cannot get AWS credentials without providing the id token which can only be obtained by providing authentication credentials (username and password).
P.S: It is always advised to use authenticated identities and even if you have a use case for unauthenticated identities, it is better to keep the access to minimal in the role for unauthenticated identities.
I have a solution by invoke particular lambda function using IAM unauth credential. So the flow like this :
- Create a cognito identity pool for unauthenticated provider
- Associated that cognito identity pool to IAM Role Policy for unauthenticated amr
- Give permission actions for that IAM Role to invoke lambda authentication function (login, signup, forgot, confirm, etc)
So here, the client apps only need get their unauthenticated credential identity to invoke the lambda authentication function. We store the clientID & userPoolID on the lambda, not on client apps