Is it safe to expose the AWS Cognito Ids?

There's a post by AWS on their forums that addresses this.

Please note that with userPoolId and clientId, only unauthenticated APIs can be called, for eg: SignUp, authenticate, forgotPassword etc. So userPoolId and clientId alone are not enough to do any malicious activity on your user pool.

Source is https://forums.aws.amazon.com/thread.jspa?threadID=245752&tstart=200

An alternative is to use API Gateway with the Cognito authorizer for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:

https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/