- 最新
- 投票最多
- 评论最多
Amazon Cognito's security model is not dependent on the secrecy of the client ID or the user pool ID. Given this, the AWS Amplify framework is not introducing a security issue by exposing those values. The secrets associated with specific users (e.g., passwords) must still be protected by your application code.
The broader concern you describe with respect to a malicious site masquerading as your own is valid, but would also apply to any public-facing website. Fortunately, AWS Cognito and the broader AWS ecosystem provide some features that could help you further secure your application against this:
- Multi-Factor Authentication - Limits the usefulness of any credentials by introducing dynamic login information
- User Pool Advanced Security - Can identify suspicious login activity and temporary block or require MFA sign-in
- Web Application Firewalls - Can set up rules for identifying potentially malicious login behavior and blocking it before reaching the AWS Cognito user pool
You might also find this blog post on controlling access to user pools useful in your research. Based on what I gather of your use case, I'm not positive it will directly address your question, but I hope it helps!
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前