I have a React application that directly connects to DynamoDB using the AWS SDK V3. Currently, the AWS credentials are stored in environment variables (.env), but I've discovered they're exposed to the client side.
The DynamoDB calls are extensively used throughout the application, making it time-consuming to migrate everything to API Gateway + Lambda. I'm considering these temporary solutions:
Using a proxy server to inject AWS Signature V4 Implementing CloudFront Functions as middleware Using Lambda@Edge
Technical constraints:
Need to maintain existing DynamoDB SDK calls Must handle AWS Signature V4 authentication Should minimize client-side exposure of credentials
What would be the most secure and efficient way to implement a temporary solution while planning a proper architectural change?
I have a React application that directly connects to DynamoDB using the AWS SDK V3. Currently, the AWS credentials are stored in environment variables (.env), but I've discovered they're exposed to the client side.
The DynamoDB calls are extensively used throughout the application, making it time-consuming to migrate everything to API Gateway + Lambda. I'm considering these temporary solutions:
Using a proxy server to inject AWS Signature V4 Implementing CloudFront Functions as middleware Using Lambda@Edge
Technical constraints:
Need to maintain existing DynamoDB SDK calls Must handle AWS Signature V4 authentication Should minimize client-side exposure of credentials
What would be the most secure and efficient way to implement a temporary solution while planning a proper architectural change?
Share Improve this question asked Feb 5 at 14:48 sappyboarsappyboar 1 6- Please provide enough code so others can better understand or reproduce the problem. – Community Bot Commented Feb 5 at 14:53
- 2 If the React client talks directly to DynamoDB then the credentials will be exposed on the client and you can't prevent that. You'd need to minimize that exposure (e.g. have the client authenticate to a custom back-end that vends temporary, scoped-down credentials) or proxy the requests through an authenticating server e.g. API Gateway plus Lambda). – jarmod Commented Feb 5 at 14:59
- Where do you run the application? – Leeroy Hannigan Commented Feb 5 at 15:25
- 1 There isn't a shortcut here - you've got client side code that directly accesses DynamoDB. The only way to do this is to have the credentials in your client. Unless your application is only used by trusted users (i.e. within a corporate environment only) you have to give the world your credentials. The only secure thing to do is fix it for real with some sort of back end and not use the current application at all. And send every person on your team who worked on this to a security 101 class – stdunbar Commented Feb 5 at 15:26
- 1 Yea for that you'll need to use API Gateway and put your DynamoDB logic in a Lambda function. This is the common approach, rarely would a web app use SDKs directly. – Leeroy Hannigan Commented Feb 5 at 17:25
1 Answer
Reset to default 0If your users are authenticated via Cognito, it's possible to use an Identity Pool to assign an IAM role to the user that would authorize DynamoDB access. If you're using the SDK for both Cognito and DynamoDB you shouldn't need to do any extra work to use this role.
DynamoDB doesn't allow fine grained access control, but you can limit access to specific tables and enforce conditions on keys:
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/YourTableName",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${www.amazon.com:user_id}"
]
}
}
}
]
Note that this approach actually enforces certain restrictions on database access, rather than just obfuscating the keys. The injection via proxy approach you mentioned would still leave your entire database exposed to the public. I don't recommend either approach, but the former is safer if configured correctly.
Here's an example from Amazon: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/