DynamoDB - Fine grain control scoped to Cognito User

1

I have a table that will contain rows of data for all users of the app. But I only want User A to access rows added by User A, User B to access User B's rows, etc. So its essentially a user-scoped database.

IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:DeleteItem",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:0000000:table/my-table",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

I believe the "cognito-identity.amazonaws.com:sub" for my user is: us-east-1:XXXXX

My id for rows is us-east-1:XXXXX#uuid1 but us-east-1:XXXXX cant access it. I get: AccessDeniedException

However, the following condition worked:

"Condition": {
  "ForAllValues:StringEquals": {
    "cognito-identity.amazonaws.com:sub": [
      "us-east-1:XXXXX"
    ]
  }
}
  • Can you pull the error out of CloudTrail? That should hopefully give more info.

  • CloudTrail just shows DescribeTable but not PutItem calls.

1 réponse
0

Hi. From a quick glance, the policy looks to be correct.

Have you done the following as well:

  • Use the Cognito ID as the hash key for DynamoDB
  • Validated proper access to the KMS Key (If used) for the User.

How are you connecting the users to access the DynamoDB Table? Are you using a role that grants access to a Cognito Identity Provider and do you have a user pool group set up for your Cognito users in Cognito?

jsonc
répondu il y a 2 ans
  • Use the Cognito ID as the hash key for DynamoDB

    hash key? The id field (Partition key) has CognitoID#ItemUUID

    How are you connecting the users to access the DynamoDB Table?

    IdentityPool group has IAM policy mentioned in question.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions