Should I use Cognito Identity pool for unauthenticated user to call API gateway

Question

Hi
So I am working on a "contact-us" form of a website for a company. Anyone can fill out the form and submit, which would call API gateway, which, through a lambda function, commit the message into dynamo db and also post it into AWS SQS. Due to the nature of the use case, an unauthenticated user can submit the form. 
So now, the choice that I am facing is, to whether use cognito identity pool for securing the API gateway call. As its unauthenticated user, exposing the identity pool ID and region on client side javascript is enough to give a malicious user access to the API. So should I even bother with authentication? What if I leave it unauthenticated and throttle the requests in API gateway? Are there any other options for securing the API? As I am new to AWS, any advice of yours would be appreciated.
Thanks

Accepted Answer

Hi.

Sounds like this is a classic case of an unauthenticated API. I wouldn't bother using an Identity Pool, as you say anyone could extract the information from you webpage and submit a massive amount of responses anyway.
I would make sure to setup a rate limit and throttling to avoid an easy flooding. Make sure to use AWS WAF to block the most common attacks and set a rate limit. 
Make sure you setup CloudWatch alarms to detect a flood of responses, basically detecting a flooding attack. Create automation to "shut down" the API in case of the alarm going off.
That is how I would solve it.

Hope that helps!

Should I use Cognito Identity pool for unauthenticated user to call API gateway

関連するコンテンツ