By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access control for S3 bucket with Amazon Cognito user pools and managing different user roles or user groups

0

I'm facing some confusion regarding the implementation of access control for my S3 bucket. Currently, my users are managed through Amazon Cognito, and while I have a good understanding of user pools, I'm uncertain if they meet my specific requirements. The challenge I'm facing involves handling different user roles. Some users require access to multiple files, while others should only have access to their own files. Initially, I considered using groups and creating a group for each file, adding users accordingly. However, I'm unsure how these groups would translate from Cognito users to access in the Identity Pool. Could you provide some guidance on this matter?

Example:

User 1: should have access to all folders.

User 2: should only have access to Folder 1 and Folder 2.

Folder 1:

  • Contents of Folder 1.

Folder 2:

  • Contents of Folder 2.

Folder 3:

  • Contents of Folder 3.
Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAmazon Cognito
Language
English
RobertHalfdanar
asked 10 months ago595 views
1 Answer
2

You can achieve this by using a combination of Amazon Cognito Identity Pools, IAM roles, and S3 bucket policies.

Here's a high-level overview of how you can set this up:

  1. Cognito User Pools: Continue to use Cognito User Pools to manage your users. You can create groups in your user pool to represent different roles or levels of access. For example, you might have a "FullAccess" group for users who should have access to all files, and then individual groups for each folder for users who should only have access to specific folders.
  2. Cognito Identity Pools: Use a Cognito Identity Pool to provide AWS credentials to your users. When you set up the identity pool, you can specify different IAM roles to be assumed by authenticated users. You can also set up role mappings to choose which IAM role a user should assume based on their user pool group.
  3. IAM Roles: Create IAM roles with policies that grant the necessary S3 permissions. For example, you might have a role with a policy that allows access to all objects in your S3 bucket, and then individual roles for each folder with policies that only allow access to the objects in those folders.

Here's an example of how you can set up the role mappings in your identity pool:

{
  "Rules": [
    {
      "Claim": "cognito:groups",
      "MatchType": "Equals",
      "Value": "FullAccess",
      "RoleARN": "arn:aws:iam::123456789012:role/FullAccessRole"
    },
    {
      "Claim": "cognito:groups",
      "MatchType": "Equals",
      "Value": "Folder1",
      "RoleARN": "arn:aws:iam::123456789012:role/Folder1Role"
    },
    {
      "Claim": "cognito:groups",
      "MatchType": "Equals",
      "Value": "Folder2",
      "RoleARN": "arn:aws:iam::123456789012:role/Folder2Role"
    }
  ],
  "DefaultRoleARN": "arn:aws:iam::123456789012:role/DefaultRole"
}

FullAccessRole Policy: This policy allows access to all objects in the S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-name/*"
        }
    ]
}

Folder2Role Policy: This policy allows access only to objects in Folder2 of the S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-name/Folder2/*"
        }
    ]
}
AWS
Eric_Lam
answered 10 months ago
profile pictureAWS
EXPERT
kentrad
reviewed 10 months ago
  • RobertHalfdanar
    10 months ago

    Thank you for your response, and my apologies for the delayed reply. I have a follow-up question: Could the user potentially be a member of multiple groups? This is my main issue, I understand that identity pool can only inherent one rules for the user pool am I wrong?

    I require a scalable solution for this matter, as my application needs to support multiple organizations.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content