amazon web services - Preventing malicious actions in dynamo DB accessed via lambda over REST

Question

Situation: There is a dynamo DB containing a column with the username, one with a unique ID, and the data for each post submitted via an Angular frontend (REST) that triggers the lambda function over AWS API gateway.

Angular frontend --> AWS API Gateway (authenticate) --> Lambda function (write to) --> DynamoDB

Challenge: While only allowing authenticated requests to the API there are not user details (only the token)
'identity': {'cognitoIdentityPoolId': None, 'accountId': None, 'cognitoIdentityId': None, 'caller': None} according to the AWS documentation, there is no way to obtain the user who has triggered the lambda function. Therefore currently I have to rely on the value provided via Angular (which can be manipulated)

I want to ensure that no evil user alters the username (provided by the frontend) by submitting HTTP posts with postman or another tool and therefore overrides or creates entries on behalf of another user. Or any other idea, how to create records in a table (via lambda) in a way that the primary key goes to a particular user, while preventing other authenticated users to submit requests on his behalf

question from:https://stackoverflow.com/questions/65869733/preventing-malicious-actions-in-dynamo-db-accessed-via-lambda-over-rest

Answer 1

It turns out, that the amplify SignUp API generates a persistent UUID for a user, and uses it as the immutable username attribute internally. This UUID has the same value as the sub claim in the user identity token.

Therefore I am now using:

let userID = (await Auth.currentUserInfo()).attributes.sub;

in the frontend, as the UUID is not predictable, and require the ID for all reads and writes.

See: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes.html