By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permisson based enquiry

0

I am building a folder management software where folders and files are stored in AWS S3. User authentication is managed through AWS Cognito, with application users stored in a Cognito User Pool. I need to manage read and write permissions for these users based on their access levels.

For example, if a user, Venu, has full access to Folder A (read, write, and delete) but only view access to Folder B (read-only), how can I implement this using AWS services , if possible guide me the steps very clearly ?

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Identity and Access ManagementAmazon CognitoIAM PoliciesIAM Roles AnywhereAmazon S3 Access Grants
Language
English
Developer
asked 2 months ago37 views
1 Answer
3

How about this:

  1. Set Up AWS Cognito User Pool:

Create a Cognito User Pool to manage your users.

  1. Create IAM Roles:

Create two IAM roles: one for full access (read, write, delete) and one for read-only access.

For the full access role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket-name/FolderA/*"
    }
  ]
}

For the read-only access role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket-name/FolderB/*"
    }
  ]
}
  1. Assign IAM Roles to Cognito Users:

Use Cognito Identity Pools to assign the IAM roles to your users based on their access levels. You can define rules to choose the role for each user based on claims in the user's ID token:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "your-identity-pool-id"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}
  1. Configure S3 Bucket Policies:

Ensure your S3 bucket policies allow access based on the IAM roles:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::your-account-id:role/full-access-role"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket-name/FolderA/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::your-account-id:role/read-only-role"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/FolderB/*"
    }
  ]
}
EXPERT
Kidd Ip
answered 2 months ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content