Security question: Does Cognito handle all of the JWT and authentication or do I need to verify every request with JWT in addition to AWS Cognito, API Gateway, and Lambda?

I’m confused about how the security works for AWS Cognito and the backend services like API Gateway and Lambda. I’m worried about storing whether or not I’m authenticated as a React/Redux state (i.e. isAuthenticated: true), after I login with AWS Cognito, per the Serverless-Stack tutorial. Are there extra steps I need to take outside of the tutorial to make sure that this can’t be manipulated by a bad actor? I know that you can manipulate React/Redux state, so they could potentially try and alter that state to give access to sensitive app data and bypass the login that way.

In the past when I’ve used JWT I have checked every request on the backend to verify that the JWT is valid, which can’t be manipulated by a bad actor. Does AWS Cognito and API Gateway/Lambda do this automatically or behind the scenes? Is there a security risk to using these services and only storing the authenticated state in React/Redux without manually validating a JWT on every request?

Simply put – if I follow the Serverless-Stack tutorial exactly, do I need to implement any extra security measures to prevent what I mentioned above? The more I read, the more it seems like it is enough, but I just want to make sure.

Yeah exactly, the JWT parts are handled by Cognito so you don’t have to do this. Your client just needs to check if the user is authenticated according to the Cognito SDK (used inside Amplify).