Lex Web UI using Cognito Guest Access

[sachindogne]

This issue has been flagged by our security team that the Lex Web UI is using Cognito Guest Access. We want to understand that the guest access is not a security risk.

Also please suggest if there's a workaround so that we don't have to use the guest access for our users.

[atjohns]

I am not aware of any security issues inherit to Cognito Guest Access as long as you operate under lease privileged when providing access to the guest role. The Web UI only provides the guest role with access to the bot, and you can see the exact privileges that are granted on the cognito.yaml template to validate it meets your security criteria. If you have security concern specifically with the Cognito service I'd recommend putting a support ticket to get more information, as this solution simply leverages that service.

You can also refer to the Credential Management portion of our README for more in-depth explanation of how Cognito integrates into the solution.

To answer your final question, there is no way to get around Cognito guest access without forking and rewriting portions of the authentication in the Web UI. You can enable 'Force login' as outlined in the link above but the guest access role is still utilized but denies all access.