I am considering using Amazon Location Service as a map tile provider for a web app I am working on. I have been able to get this working in a small proof-of-concept using Cognito unauthenticated access and MapLibre GL JS (but plan to move to OpenLayers if supported).
My concern with this is that anyone using the application could extract the identity pool id from the browser and use this to run up a large bill on my behalf! The web app is not public, with users authenticated against a proprietary database. I'd like to allow only these authenticated users to be able to retrieve map tiles.
Would using Cognito developer authenticated identities be suitable for this? Any other recommendations to achieve this?
Amazon Cognito authenticated identity pools may help, but are intended to match/be your primary login system and may complicate your design.
Using the aws:referer IAM condition key with your domain name will prevent other browser-based apps from using your credentials for this purpose and are the equivalent to the domain restrictions supported by other providers. Here's an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictedMapReadOnly",
"Effect": "Allow",
"Action": "geo:GetMap*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://example.com/*",
"https://www.example.com/*"
]
}
}
}
]
}