Beginner so please go easy on me.
I have a cognito user pool with custom auth ui running as part of my react app that uses amplify to simplify management of the auth flow.
The frontend application is served through an ALB (in a VPC) on EC2 instances where port HTTPS:443 redirects to target group on HTTP: 3000 in which we have a docker image running a container with the react app FE. The express server sits (unsecured) at port HTTPS:5000 forwarding to a target group on HTTP: 5000 with a separate docker image running a container which has an express server. the auth ui is part of the frontend directly, its not hosted separately. the frontend communicates with existing apigateways securely with cognito authorizers. But because the ALB publicly faces the internet and the express server is unsecured anyone can make api calls to it, not just cognito verified authenticated users that are using the app on the frontend.
How should i go about securing this express backend? Someone told me I should host the auth ui in an S3 bucket and deliver it using Cloudfront, why does that help solve my problem?
My setup feels naïve. Would an experienced professional make any specific significant changes to my setup before trying to secure the BE?
In the future I envisioned spinning up an ALB for each customer (customers for this product each have tens to hundreds of users) and potentially making customized / specially configured deployments for each customer (the idea being the separate ALB makes customized deployment easier, better uptime). Does that make any sense or is the separate ALB part of this unnecessary to achieve my goals?
AWS OFFICIALUpdated 8 months ago
