I need help figuring out if AWS is the best option for my requirements. My application receives files and serves them to users. I need to implement both role-based and attribute-based access control for these files. I'm planning to move my user management to AWS Cognito, but I'm confused about the identity pool. Can a user pool and identity pool exchange multiple roles? Or is attribute-based access control not possible? I'm just not sure how it works. In the documentation, it is stated that only one role can be selected when a user receives an identity. But if I need to have more than one role, what can I do?
I've also heard about AWS verified permissions, and I have decided to use them for my API. Can I skip bucket policies and only rely on AWS verified permissions, both for my API and S3 bucket?
Example:
Consider the following scenario:
Group A
User 1
Buckets and their respective access levels:
Bucket 1:
Public:
File 1
Private:
File 1
The desired access control configurations are as follows:
Every use has access to the public bucket.
Group A should have access to all Folder within Bucket 1.
User 1 can access File 1 within the private section of Bucket 1.
I would really appreciate some guidance on these issues. Thanks!
AWS OFFICIALUpdated 9 months ago
I found out that I had ask similar question few weeks ago so I am going to mark this question as answered.
I've been looking into this and trying to figure out the best approach. It's important for my solution to be scalable. I was thinking, is it possible to add a Verified permission in front of the S3 bucket? It seems like it could simplify everything, but I'm not sure if it's considered a bad practice. Since I'm new to the cloud and still learning, I'm trying to understand different solutions.