1 Answer
- Newest
- Most votes
- Most comments
0
One of the possible approaches seem to be using the Cognito identity provider attribute mapping to principal tags in combination with s3 bucket policies.
{ "Version": "2012-10-17", "Id": "Policy1667740367430", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET_NAME/*", "Condition": { "StringEquals": { "s3:ExistingObjectTag/tenant": "${aws:PrincipalTag/tenant}" } } } ] }
answered a year ago
although it doesn't seem to be possible to set the PrincipalTag <-> attribute mapping through cloud formation https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/779
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
related questions: