Does anyone know if the User Pool Id and Client Id are sensitive? Currently I have them sitting on the frontend and was just wondering if this is dangerous. If it is, how can they be exploited?
No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.
Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.