By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Restricting access to CloudFront origin using session tag applied by Cognito Identity Pool

0

My app authenticates users through Cognito User Pools, and authorizes S3 request through a Cognito Identity Pool and attributes for access control to ensure users can only access their own files. The policy attached to authenticated users looks like this:

data "aws_iam_policy_document" "authenticated" {
  statement {
    effect = "Allow"

    principals {
      type        = "Federated"
      identifiers = ["cognito-identity.amazonaws.com"]
    }

    actions = [
      "sts:AssumeRoleWithWebIdentity",
      "sts:TagSession"
    ]

    condition {
      test     = "StringEquals"
      variable = "cognito-identity.amazonaws.com:aud"
      values   = [aws_cognito_identity_pool.users_dev.id]
    }

    condition {
      test     = "ForAnyValue:StringLike"
      variable = "cognito-identity.amazonaws.com:amr"
      values   = ["authenticated"]
    }
  }
}

resource "aws_iam_role" "authenticated" {
  name               = "cognito_authenticated"
  assume_role_policy = data.aws_iam_policy_document.authenticated.json
}

data "aws_iam_policy_document" "authenticated_role_policy" {
  statement {
    effect = "Allow"

    actions = [
      "s3:*",
    ]

    resources = [
      "${data.aws_s3_bucket.s3_data_lake_output_bucket.arn}/events/silver_pageviews/team_id=$${aws:PrincipalTag/tenant_id}/*",
    ]
  }
}

This works, and now I'd like to put CloudFront in front of my bucket but I'm unsure what my best option is. I Googled a bit, and it seems I can either use signed cookies/URL's or use a CloudFront authorization@edge lambda.

Is there an option where I'm able to keep using my principal tags (tenant_id) that are applied to my users's temporary session? Either in an inline policy of a signed cookie/url or by attaching it to a Origin Access Control?

Useful links:

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Identity and Access ManagementAmazon CognitoAmazon CloudFrontAmazon Cognito Federated Identities
Language
English
rickaws
asked 8 months ago81 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content