在我的html中显示AWS Cognito池ID是否安全? [英] Is it safe to show the AWS cognito pool ID in my html?
问题描述
我正在使用AWS Cognito,Lambda,S3及其更多服务来构建无服务器网站。登录页面中的HTML / JS具有认知池ID。这有多安全?我知道隐藏敏感内容是最佳做法。但这不是客户端服务器。它的所有客户,如果我是诚实的。我确实通过lambda调用访问了一些敏感数据。但是,即使此调用也需要一些纯文本敏感的输入,例如用户ID。
I am building a serverless website with AWS Cognito, Lambda, S3 and a dozen more of their services. My HTML/JS in my login page has the cognito pool ID. How safe is this? I know that it is best practise to hide sensitive stuff. But this is not client-server. Its all client if im honest. I do access some sensitive data via a lambda call. But even this call requires some plain-text sensitive inputs like the user ID.
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.3.7.min.js"> </script>
<script>
AWS.config.region = 'XX-XXXX-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'XX-XXXX-1:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX'
});
var lambda = new AWS.Lambda();
</script>
我真的不喜欢看到poolID。攻击者可以复制此文件,并强行使用我的Cognito ID。有什么想法可以隐藏它吗?
I really dont like the poolID visible. An attacker can copy this and brute force my cognito IDs. Any ideas to hide it?
推荐答案
使用身份池ID创建客户端是必需的,并且保持客户端身份是很普通的。它本身并不是主要的风险,而在您身边进行一些修补可以极大地限制存在的风险。
Using the identity pool id to create the client is a requirement, and keeping it client side is very common. It isn't a major risk on it's own, and what there is can be greatly limited with a bit of tinkering on your side.
您可以减轻暴露的风险通过Cognito创建并链接到身份验证池的角色标识身份池ID。通过这些,您可以缩小Cognito将为未经身份验证/已身份验证的用户生成的凭据的范围。 此博客文章有关如何执行此操作的更多信息。通过进一步限制未经身份验证的用户的特权,直到他们登录到经过身份验证的身份,您可以进一步迈出这一步。
You can mitigate the risk of exposing the identity pool id via the roles that Cognito creates and links to the pool. Through those, you can scope down the credentials that Cognito will generate for your unauthenticated/authenticated users. This blog post has more on how to do this. You could take that a step further by greatly limiting the privileges of unauthenticated users until they have logged into an authenticated identity.
这篇关于在我的html中显示AWS Cognito池ID是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
