So far admin page is not protected by user authentication. Any person who knows the URL of an admin page can change service status. To stop this, support user authentication (maybe using Amazon Cognito User Pools).
At least these functions are necessary:
[x] The admin user can invite a new user (OK to use AWS Console)
[x] The invited user can do an initial setup.
[x] The user can sign in/out.
[x] Save a user who forgets the password.
[x] Protect API Gateway so that only authenticated users can call its APIs.
[x] Create Cognito User Pools using CluodFormation (Note CloudFormation does not have Cognito resource)
So far admin page is not protected by user authentication. Any person who knows the URL of an admin page can change service status. To stop this, support user authentication (maybe using Amazon Cognito User Pools).
At least these functions are necessary: