What are the security vulnerabilities for AWS DynamoDB accessing directly from client (web app) using AWS Cognito & IAM role based

Question

The client app (web app using client-side javascript) accessing directly to AWS DynamoDB ( using aws-sdk) and DynamoDB accessibility is authenticated by AWS Cognito. All the user must login with AWS Cognito to access AWS DynamoDB.

For the above serverless (client javascript application - accessing from browser), what are the security vulnerabilities for the above application architecture ?

Answer 1

To build on what others have already written, while you certainly can do this, in most cases, it can easily leave you exposed if you're not careful. Getting the permissions right, especially if your DynamoDB tables contain data that belongs to more than one user, can be tricky and error-prone.

The suggestion to put an AWS Lambda function in between can be helpful. Another option I wanted to point out is that you can directly front DynamoDB with API Gateway. This has several potential advantages:

• You can use different (or even no) authorization schemes for accessing the database
• You can do validation tasks in the API Gateway before and after the calls to DynamoDB
• You can leverage caching better one some types of requests (for example, a Query request would normally be a POST request which can't usually be cached; API Gateway could expose a query as a GET request, allowing the results to be cached downstream)

For more information, see an example from AWS here: https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/

Answer 2

For small, single user(Without groups and roles) web applications you can use Cognito and DynamoDB Fine-Grained Access Control to provide row level access control for tables for authenticated users which could ideally provide a secured architecture. However there are several in practically implementing security and other factors.

• Single IAM policy change, can potentially create a high risk security breach for data access.
• Authenticated user can harm the system by overusing DynamoDB, leading to significant increase of DynamoDB costs.
• Not able to provide role base access control.
• Dynamodb Table Schema limitations to support Fine-Grained Access Control for Cognito authenticated users, which could potentially limit query performance.
• Not able to use Encryption at rest(Encrypt data in DynamoDB table e.g Using AWS KMS)

Answer 3

You need to make sure that the permissions that you are giving to the users through Cognito are restricted as possible. The most obvious one is that they will have read-only permission, otherwise, users will be able to tweak your code to delete, update or put items into your table.

The other risk is that users will be able to access data of other users on the same table. If your table contains data for each one of your users (profile, for example) and you want to allow each user to quickly retrieve his profile, users will be able to tweak your code to read data from other users. You can restrict that using Fine-Grained Access Control (http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html), which will allow a user to read (or write) only a record with his user_id.

You can consider putting an AWS Lambda between the user and the DynamoDB table to make more checks on the input, as well as to activate the DynamoDB stream to capture every change to the table to recover from changes made by mistake (even with the right permissions).

Answer 4

When you put your code inside your web app, it will be available to anyone with the proper knowledge to perceive your backend architecture, in terms of Table, Index and Keys names.

The best practice in application security is do not let this kind of information available to anyone. Someone with the knowledge and motivation can use this internal information to develop a vector to try to exploit your environment.

The AWS environment provide a secure architecture. But if you can keep your environment a little bit hard for exploiters maybe they look for other thing or someone else environment.