问题
Background
I've been working on a front end javascript application that consumes AWS resources (mostly Lambdas behind API Gateway). The API Gateway resources are protected with IAM, and the app uses most of what Cognito offers accordingly.
This includes an Identity Pool with Unauthenticated Identities enabled, and federation with both a Cognito User Pool and multiple social and custom OIDC providers. Cognito is interacted with solely from our front end javascript code, using Amazon's SDK.
Unauthenticated Identities
The sensitivity of the ID pool id applies to all my use cases, but I'm most curious about the Unauthenticated use case. We've been following what seems to be Amazon's suggested approach: Use Cognito or STS to get IAM keys, and use those keys to access AWS resources. I've even been spreading this gospel.
This is all well and good, but it does require me to expose my identity pool id to the front end. And the identity pool id is the only thing you need to get IAM keys for your Unauthenticated IAM role.
Theoretically, any attacker could grab my identity pool id and start abusing my resources (that are allowed for the Unauth IAM role) using the same Amazon SDKs that I use.
The Question(s)
- In a general sense, how sensitive should I consider an identity pool id to be? Is it just A-ok to show this to anybody?
- If I decide it is sensitive enough to not expose to the browser, how do I deal with that? Where and how do I hide it and get to it?
- In any case, should I "bake in" a way to rotate the id frequently?
- Are there (types of) use cases where it's ok to expose the id, and cases where it isn't?
The answer(s) I'm looking for
As noted in the linked answer above, my understanding is that the Unauthenticated Identities thing isn't bulletproof, and only provides a reasonable level of confidence that it's your app on the other end of the line. In other words, while not impossible, it is at least reasonably difficult for someone to abuse your AWS back end using this model.
In addition to the bullet points above, I'd appreciate any critique of this understanding. Am I underselling the security around unauthenticated IAM access to AWS? Overselling it?
Disclaimers
I'll admit this question smells a lot like this one. I'm not asking about hard coding the identity pool id in my application; this is already fetched from a web service. However, it's still completely exposed to the front end, and you can argue that it's actually easier to pull it out of an AJAX response than out of minified code.
I do lock the Unauth role down as tight as I can, and I understand that allowing anonymous access to stuff can only be so secure.
来源:https://stackoverflow.com/questions/47170717/how-sensitive-is-my-identity-pool-id