By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 bucket per tenant approach. Can I assign different IAM roles for diefferent users in the amplify project?

0

Please let me know if this a valid approach or I am missing something fundamental..

Requirement:

  • I need to be able to restrict each tenant users from accessing each other s3 files
  • and be able to measure each tenant space usage in the s3.

Solution I think to implement: Upon user signup, we check if this is a sign up by invitation to already existing tenant space or a new registration

  • if it's a new tenant than we register him in a custom dynamodb table and create an s3 bucket for him
  • if it's a new user in existing tenant we we only adding him to the IAM Role that can access the tenant s3 bucket

Details: I currently am using cognito custom attribute to save tenant ID (it's configured to not be changeable by the user itself) and struggle to figure out how I can affect the role mapping in the cognito Identity pool to implement the above logic. Please give me directions to dig further or advises on the overall approach in general.

Some of the ideas are taken from this article https://medium.com/@dantasfiles/multi-tenant-aws-amplify-method-2-cognito-groups-38b40ace2e9e and it also suggests to use cognito dynamic groups to differ tenants and it seems to resolve the s3 issue as well, but with dynamic groups sync events won't work, right?

Known limitation: Real-time subscriptions are not supported for dynamic group authorization. https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access

There is also this question https://repost.aws/questions/QUW1WibDWjQd2rOll4mDiPMA which suggest to use a lymbda and presigned s3 urls to regulate the access to s3 files based on the tenant logic

Topics
StorageSecurity, Identity, & ComplianceFront-End Web & MobileSaaS on AWS
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS AmplifyAmazon CognitoSaaS on AWS
Language
English
Arsen
asked a year ago291 views
1 Answer
0

One of the possible approaches seem to be using the Cognito identity provider attribute mapping to principal tags in combination with s3 bucket policies.

{
    "Version": "2012-10-17",
    "Id": "Policy1667740367430",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET_NAME/*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/tenant": "${aws:PrincipalTag/tenant}"
                }
            }
        }
    ]
}
Arsen
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content