Exposed AWS Credentials on Deployed Frontend


On the final version of the app (, using the Chrome dev tools, I can dig through the app directory. In Top > > static > js > main.852cb2a5.js, all of the AWS credentials are visible in plaintext (AWS Region, API URL, user pool ID, App client ID, identity pool ID, etc). Is this not a fairly fatal flaw in this tutorial?

My guess is that the solution is to use EC2 rather than S3 to host the frontend because S3 is made for static hosting (no important environment variables).

Any thoughts?


No those are just id’s for the AWS resources we are using. The actual credentials to access them are generated when a user authenticates with our User Pool.

1 Like