How to grant group to resources using Cognito and IAM

0

We would like to grant users access to read and write out of an S3 bucket based on their cognito group.

Based on examples in Cognito documentation, it seems like we need:

  • to update the IAM role associated with users in the identity pool
  • referencecognito:groups in some way

Is that correct? How do we reference cognito group...as a principal tag or some other way?

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject", "s3:PutObject",
  ]
  "Resource": "arn:aws:s3:::myBucket/*",
  "Condition": {
    "StringLike": {
      "s3:prefix": [
        "${aws:PrincipalTag/cognito:groups}"
      ]
    },
  }
}

??

https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html https://docs.aws.amazon.com/cognito/latest/developerguide/using-attributes-for-access-control-policy-example.html

2 Answers
1
Accepted Answer

Hello,

I understand that you would like to implement Cognito group membership based access to certain S3 resources.

Unfortunately, there's no policy variable that can be used to detect the user pool group to which a user belongs. If it suits your use case, you may use one of the below workarounds:

Option 1: This example shows how you might create an identity-based policy that allows Amazon Cognito users to access objects in a specific S3 bucket. This policy allows access only to objects with a name that includes cognito, the name of the application, and the federated user's ID, represented by the ${cognito-identity.amazonaws.com:sub} variable. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. [1]

Option 2: For your use case, you can utilize the cognito group itself to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of the group. [2]

Let's say you have a Cognito group named "Folder_A_Users" and the role attached to this group, let say "Folder_A_Role" has permissions to GetObject from this specific folder only. You can then set up Role Based Access Control in identity pool using "Choose role from Token". This will obtain the role from the identity token returned by the user pool and the authenticated user will be able to assume that role.

Alternatively, if you would not like to configure roles for groups on the user pool side, you can configure rules that will map different roles for different "cognito:groups" by using the "Choose role from rule" option in the Identity Pool. You can read in detail about these two options in [3].

Further, on the S3 bucket, you need to configure a bucket policy that will restrict access to the folders based on the IAM role assumed by the user. The bucket policy for restricting access to Folder_A to "Folder_A_Role" will be as follows:

{ "Version": "2012-10-17", "Id": "Policy1559937989640", "Statement": [ { "Sid": "Stmt1559937985466", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<Account_ID>:role/Folder_A_Role" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<Bucket_Name>/Folder_A/*" } ] }

Similarly you can add multiple roles and folders for each group type and restrict access. More about restricting access to S3 bucket based on IAM role is given in [4].

References

[1] Amazon S3: Allows Amazon Cognito users to access objects in their bucket - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

[2] Adding groups to a user pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

[3] https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

[4] https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

AWS
Priya_s
answered 6 months ago
0

Hey, I'm having a similar issue at the moment and I have a question regarding the second option:

Whenever you add another group, do you also have to edit the policy of the S3 bucket as well as add a policy for the group? Is there a more dynamic way to handle this?

FYI: I have a Cognito user pool with multiple users where each user is in one or more user groups. For each user group, there's a folder in my S3 bucket with the same name as the group and I want to give all users in this group access to the files in that folder.

I'm looking forward to your response!

Lukas
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions