So a number of plugins have been published on the Unreal Engine Marketplace promising to make integration with AWS GameLift, Cognito, and Lambda, easy and just through blueprints (no c++).
My team would like to use such plugins especially related to AWS Cognito.
However, looking through their tutorials it seems like some of the practices they are using are not secure.
Specifically, in this part of the Aws Cognito tutorial it shows to put in your Aws Access ID and AWS Secret Key to create a Cognito Idp object on the game client. This seems to just be a blueprint wrapper over the CognitoIdentityProviderClient constructor in CognitoIdentityProviderClient.h of the aws-cpp-sdk.
I was under the impression that you could not trust the game client with anything in terms of keys or credentials, never mind an AWS Secret Key. Similar credentials are used in the GameLift plugin when creating game sessions from the client (again not a good practice?).
I would love to get some of the AWS staff’s take on this. Am I incorrect about this security practice? Is it fine in production as long as the credentials you are adding to the client is one of an IAM user that has limited permissions just for these few functions?
Along the same lines but maybe less of an issue: it shows to implement the signup and authentication again on the client. Wouldn’t it be a better practice to put the proposed username and password in an HTTPS request to an API Gateway that then runs this Cognito function on say a Lambda that then communicated the result to the game server that then communicates back to the game client?
I assume its ok to put the Aws Cognito app client id on the game client?
Any input on this would be appreciated. Cheers!