When working with Cognito Identity Pools (federated identities), what's the best practice for storing the unique ids of the pools that my users will need to have access to? I'm thinking about them as secrets, as they're required for use with the API actions needed to get credentials for working with secure resources (e.g. GetId, GetCredentialsForIdentity), which are public APIs.
1 Answers
0
votes
What Madeo has stated in the comments is the right concept. The Identity ID/Identity Pool ID itself is not a sensitive piece of information. Identity ID is defined as a unique identifier for the Identity Pool, and it can be operated on in the client-side of your application.
For security, you would need to make sure the JWT token from the User Pool is passed to the Identity Pool API call in a secure fashion (or wherever you are getting the token from, be it Facebook/Twitter/etc).
IdentityPoolIdsare done to be used in the client, it is just a pointer to the service not a decryption key or secret. The security of an identityPoll stands on the role and policies you have attached to it. – Matteo