By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Do you control user or developer access with IAM policies?

0

I am struggling to get a grasp on what exact terminology means and as such,. am having difficulty developing appropriate AWS architecture.

My core question is essentially "is IAM dedicated for controlling access for developers using AWS to build their product/software or for user access control."

For example:

From a user perspective: A user (customer) creates an 'account' with my software. In this software, they create a text file, write something in the text file, and then save this text file which can be accessed via the cloud. When they log back in on a different computer, they can see their text file and can continue to edit it.

From a backend perspective: An AWS Cognito user is created. When they save the file an get API request is called and routed using API Gateway which runs a lambda script to return a presigned URL path for the text file to be uploaded into an S3 bucket into a user dedicated folder. Then the POST API request is made to upload the file directly to S3. An example of what two folders in S3 my look like when two users have uploaded a file:

mybucket/User A/: - personalinfo.txt

mybucket/User B/: - raw_data.txt

What is responsible for ensuring a User has permissions to access only their text files and not somebody elses? Where do I control that User A has access to personalinfo.txt, and User B does not?

Is IAM responsible for handle individual users like this? From my understanding IAM is only dedicated for preventing want developers (software engineers) can access and control in AWS. If its not IAM, what tool should be used to prevent/grant access to personal data that is stored in an S3 bucket?

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAWS IAM Identity CenterIAM PoliciesAmazon Cognito User Pools
Language
English
vleppi
asked 2 months ago166 views
1 Answer
1
Accepted Answer

Here is a similar question https://repost.aws/it/questions/QUutSZgcSPQJiCL5p-ln_aVA/access-the-s3-folder-specific-to-particular-user-authenticated-using-cognito

S3 Bucket policy can limit access for a specific user to his own folder in S3

			{
				"Effect":"Allow",
				"Action":[
					"s3:GetObject",
					"s3:PutObject",
					"s3:DeleteObject"
				],
				"Resource":[
					"arn:aws:s3:::bucket_name_here/private-resources/${cognito-identity.amazonaws.com:sub}",
					"arn:aws:s3:::bucket_name_here/private-resources/${cognito-identity.amazonaws.com:sub}/*"
				]
			}
profile picture
EXPERT
Oleksii Bebych
answered 2 months ago
profile picture
EXPERT
Artem
reviewed a month ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 2 months ago
  • vleppi
    2 months ago

    The similar question and your response is exactly what I needed, thankyou!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content