How to use Android S3 TransferUtility without Cognito

Question

My Android app is currently uploading to Amazon S3 bucket through Presigned URL. However, we kind of need to have a pause and continue interrupted upload because our userbase are in low connectivity area.

It seems that there is no way to do this using S3 Presigned URL (correct me if I am wrong). After searching a while, I found out that there is TransferUtility in AWS S3 SDK for Android. This utility seems can do pause and continue interrupted upload.

https://github.com/awslabs/aws-sdk-android-samples/blob/main/S3TransferUtilitySample/S3TransferUtilityTutorial.md

But in the example, it seems that we need to create an Amazon Cognito pool. For now, I don't want to be committed to migrating our users to Cognito just to do this.

Is there any way to utilize TransferUtility without Cognito but still pretty secure? I am thinking of creating a temporary credentials using STS only for a one object in the bucket and then pass it to the Android through similar API that we use to pass the presigned URL. But AFAIK, STS can only assume one role, we cannot limit it to one single object.

Accepted Answer

What you're trying to do actually uses an Amazon Cognito [identity pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-identity-pools), not a [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html#what-is-amazon-cognito-user-pools). Therefore, there's no need to migrate any users to a Cognito user pool for this scenario as you're able to use an identity pool on it's own.

An identity pool allows you to get temporary AWS credentials and does not manage the underlying identities of your users. Look into the [README](https://github.com/awslabs/aws-sdk-android-samples/blob/main/S3TransferUtilitySample/README.md) for the utility example for steps on setting up the Cognito identity pool (e.g. steps 1 & 2).

**However, and most importantly**, this sample you're looking into uses an "unauthenticated" role from the identity pool. And this has the `AmazonS3FullAccess` policy attached to this unauthenticated role. I would highly, highly recommend to instead using an authenticated role with IAM policies that follow a more restrictive and least privileged access model, based on your use case and requirements. You have an ability to federate from your existing identity provider that your Android app uses to the Cognito identity pool. This way you can securely allow only authenticated users access to the S3 bucket and you can enforce more fine-grained permissions. For example, you could use an [attribute-based access control (ABAC)](https://docs.aws.amazon.com/cognito/latest/developerguide/attributes-for-access-control.html) or a [role-based access control (RBAC)](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html) model to determine permissions.

Here's some additional links to help out (in addition to the repo you referenced):
- [Using identity pools](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html)
- [Identity pools authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html)
- [Identity pools external identity providers](https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html)
  - If you're application happens to already be using Facebook, Google, Sign with Apple, Login with Amazon, or any OIDC or SAML identity provider, you could follow the guidance mentioned above.
- [Developer-authenticated identities](https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html)
  - If you're using something custom for identity provider for your Android app, you could look into using the developer-authenticated identities

How to use Android S3 TransferUtility without Cognito

Relevant content