Security
Protections
SSL
- SSL is enabled on all resources and endpoints.
CORS
- API deployments allow access from one origin per stage.
XSS
- A content security policy prevents the browser from downloading or executing scripts from unauthorized sources.
- React escapes input loaded from a database.
Authentication
- User profiles are stored and managed through AWS Cognito.
- An library developed by Amazon is used for authentication actions like.
Authorization
- Brute force attacks are handled by Cloudfront, the CDN.
- Resources that contain private user data are only accessible to authenticated users.
- User credentials are verified using an AWS-provided Authorizer.
- Access to the Lambda function that queries the database is based on a whitelist of API Gateway resources.
- Access to the database is granted to Lambdas through Identity-Based Policies (IAM Policies).
Vulnerabilities
- Access to the AWS account by an unauthorized party.
- Credentials extracted from browser storage. Possible mitigation: Credential storage in HTTP only cookies, CSRF tokens.
- Delayed cross-device sign out. Possible mitigation: Blacklist of tokens invalidated during global sign outs.