What is your general inquiry?

AWS CloudWatch RUM leverages AWS Congnito and uses an unauthenticated indentity to "PutRumEvents".

Does it mean that an malicious user of my web application can pretend to be the unauthenticated indentity to assume the IAM role and start abuse the "PutRumEvents" API thus pollute the frontend_logs or metrics collected by RUM ?

Many thanks in advance

an malicious user of my web application can pretend to be the unauthenticated indentity to assume the IAM role and start abuse the "PutRumEvents" API thus pollute the frontend_logs or metrics collected by RUM ?

This is an inherent risk of real user monitoring. The risk of receiving spoofed data may be increased when collecting data from unauthenticated users, but the risk is present even when collecting data from authenticated users. I wrote a blog post titled "How to isolate signed-in users from guest users within Amazon CloudWatch RUM" that discusses this topic.

I'm closing this issue because it's in the domain of fraud prevention, which doesn't fall within the scope of this repository. Because this question is related to the CloudWatch RUM service itself, I recommend going through AWS support channels for more information.