I am building a serverless website with AWS Cognito, Lambda, S3 and a dozen more of their services. My HTML/JS in my login page has the cognito pool ID. How safe is this? I know that it is best practise to hide sensitive stuff. But this is not client-server. Its all client if im honest. I do access some sensitive data via a lambda call. But even this call requires some plain-text sensitive inputs like the user ID.

    <script src="https://sdk.amazonaws.com/js/aws-sdk-2.3.7.min.js">   </script>
    <script>
    AWS.config.region = 'XX-XXXX-1';
    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'XX-XXXX-1:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX'
    });
    var lambda = new AWS.Lambda();
    </script>

I really dont like the poolID visible. An attacker can copy this and brute force my cognito IDs. Any ideas to hide it?

Using the identity pool id to create the client is a requirement, and keeping it client side is very common. It isn't a major risk on it's own, and what there is can be greatly limited with a bit of tinkering on your side.

You can mitigate the risk of exposing the identity pool id via the roles that Cognito creates and links to the pool. Through those, you can scope down the credentials that Cognito will generate for your unauthenticated/authenticated users. This blog post has more on how to do this. You could take that a step further by greatly limiting the privileges of unauthenticated users until they have logged into an authenticated identity.

I also have the same concern and planned to user either php or node.js to keep cognito pool id and client Id on the server side (EC2 for instance). I was however frustrated to found out that Amazon changed their mind and did not include Cognito User Pools client side SDK support. Has anyone connected to a user pool from a lambda written in Node

Hopefully this will be included in future releases.

I suspect that the same is true for php.

One alternative would be to use one of the javaScript obfuscator as this one: javascriptObfuscator to at list hide keys or ids just looking at the page source.

You can put the Pool and other Cognito IDs in your HTML without much fear (if you've defined the unauthorized policies carefully), but you may want to use API Gateway (with built-in Cognito authorizer) for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:

https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/