- SSL is enabled on all resources and endpoints.
- API deployments allow access from one origin per stage.
- A content security policy prevents the browser from downloading or executing scripts from unauthorized sources.
- React escapes input loaded from a database.
- User profiles are stored and managed through AWS Cognito.
- An library developed by Amazon is used for authentication actions like.
- Brute force attacks are handled by Cloudfront, the CDN.
- Resources that contain private user data are only accessible to authenticated users.
- User credentials are verified using an AWS-provided Authorizer.
- Access to the Lambda function that queries the database is based on a whitelist of API Gateway resources.
- Access to the database is granted to Lambdas through Identity-Based Policies (IAM Policies).
- Access to the AWS account by an unauthorized party.
- Credentials extracted from browser storage. Possible mitigation: Credential storage in HTTP only cookies, CSRF tokens.
- Delayed cross-device sign out. Possible mitigation: Blacklist of tokens invalidated during global sign outs.