Best Security Practices with Amazon Location Services API Keys

0

Hey there, I have been playing around with the amazon location service api for a little bit now, and have been able to operate with the amazon location service maps pretty well using react/maplibreGL.

I am currently using the map as such:

            <Map
            mapStyle={`https://maps.geo.${region}.amazonaws.com/maps/v0/maps/${mapName}/style-descriptor?key=${apiKey}`}
            >
            </Map>

This works perfectly fine, and makes requests for tiles such as : https://maps.geo.us-{REGION}-2.amazonaws.com/maps/v0/maps/{MAP}/tiles/14/2738/6231?key={my key}

My main question, is that in a production environment, other than setting the referrer's as the front end's url, are there any concerns with the token being exposed to the end user in the query parameters? Or are there better practices regarding security here.

1개 답변
3
수락된 답변

For the best security practices with Amazon Location Services API keys, the main recommendation is to avoid exposing the API keys directly on the client-side.

Instead, implement server-side proxying, where your client-side code makes requests to your server, and the server then forwards the requests to the Amazon Location Service API, including the API key. This way, the API key is never exposed to the client.

Additionally, you can leverage AWS Identity and Access Management (IAM) roles if your application is running on AWS infrastructure, which eliminates the need to embed API keys in your code. It's also crucial to restrict API key access based on specific criteria, rotate API keys regularly, monitor API usage, implement rate limiting, and keep your dependencies up-to-date.

profile picture
전문가
답변함 2달 전
profile picture
전문가
검토됨 2달 전
profile picture
전문가
검토됨 2달 전
  • Yeah that is really what I figured, which is what brought me here. Server side proxying it is. Thanks!

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠