Managing Access to KVS - policy to allow dynamically modifying access

Hey,

In my use case, users (Authenticated Cognito Identity users) will own Kinesis Video Stream resources. They should be able to share access to their KVS resources with other users.

There doesn't seem to be a scalable solution.

In this situation, there are between 1-10 policies that get applied to Authenticated users. These policies are generic for each user, with the differences between users coming from variables within the policy. The variables of use to us for this use case seem to be:

1. cognito-identity.amazonaws.com:sub --- The Unique ID of the user
2. aws:ResourceTag/TagKey --- A Tag applied to the resource.

A non-scalable solution could be to add a tag onto the video resource such as "invited_user", with the value of the user's id, And the Authenticated User Policy could include something such as:

- Effect: "Allow"
                Action:
                  - "kinesisvideo:ConnectAsViewer"
                  - "kinesisvideo:DescribeSignalingChannel"
                  - "kinesisvideo:GetSignalingChannelEndpoint"
                  - "kinesisvideo:GetDataEndpoint"
                  - "kinesisvideo:GetHLSStreamingSessionURL"
                  - "kinesisvideo:ListFragments"
                  - "kinesisvideo:GetClip"
                  - "kinesisvideo:GetIceServerConfig"
                Resource: "*"
                Condition:
                  StringEquals:
                    "aws:ResourceTag/invited_user": "\\${cognito-identity.amazonaws.com:sub}"

But this will only allow sharing the resource with 1 other use.

I'm looking for some sort of scalable solution to this problem that I might of missed or overlooked, is there something I'm missing?

Thanks!