By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Amazon Cognito user pool group roles to grant s3 access based on each group

0

I have a question regarding creating a generic role with policies that uses a variable identifying the Cognito user group.

Since it's hard to understand from the statement above, here is an example of what I want to achieve. Currently I manage my users using Cognito. These users can be added to "groups", and each group has a folder in my s3 bucket. Each user can be part of 0:n groups, and each group has exactly one folder in s3.

From what I have seem, I could achieve that by creating a different IAM Role for each group, with the permission for the specific folder, but since the number of groups can become large very quickly, I'm afraid the quota of IAM Roles would be exceeded pretty fast. That's when I learned about using one generic IAM Role that changes based on the user, you can check that here. In this link I can see that I can could have one folder in my s3 bucket for each user, by using ${cognito-identity.amazonaws.com:sub} in the IAM Role. Is there any way to achieve this same behaviour for a user group, instead of only one user?

Example:

  • Group 1: User 1, User 2
  • Group 2: User 2, User 3

Folder 1:

  • User 1, 2 has access to files

Folder 2:

  • User 2, 3 has access to files

Possible solutions I thought that I consider not viable or not ideal:

  • Create one folder on s3 for each user and upload each file on the folder of each user who has access. Problem: a lot of duplicate files, unnecessary complication for handling the same files in different places.
  • Create one folder on s3 for each user group and files would be uploaded to the respective group folder in s3. Problem: Creating one IAM Role for each group isn't viable, since we have a limit of how many roles can be created per aws account.
  • Create a custom backend to handle which user has access to each file, get the s3 file and return to the user. Problem: Unnecessary additional request that will affect the time to get the file.
  • Create a custom backend to return a signed url if the user has access to the requested file. Problem: Unnecessary additional request and potential vulnerability by creating an url public (even if it's only valid for a period of time)
  • Behrang_KS
    10 months ago

    How do the users access their files on s3 ? through an application or directly ?
    With this scale and complexity you might need to consider a proper file system with granular permission management such as Microsoft AD and FSx for Windows.

  • Rossicler
    10 months ago

    They access through an application

Topics
Security, Identity, & ComplianceStorage
Tags
Security, Identity, & ComplianceAmazon CognitoStorageIAM PoliciesAmazon Cognito User Pools
Language
English
Rossicler
asked 10 months ago934 views
2 Answers
0

I think you are looking for this: Using attributes for access control.

profile pictureAWS
EXPERT
kentrad
answered 10 months ago
  • Rossicler
    10 months ago

    First of all, thanks for the reply. After taking a look at it, I don't think it helps me solve the problem I'm having. Although it's great that you can create these custom mappings using Cognito User attributes, it looks like it only solves the problem when a user has only ONE permission level.

    Please correct me if I'm wrong, but since cognito user attributes can only be a String or a Number, this way the user can't have multiple-levels of permissions, which would require something like an array.

    Example: Let's say there is a music app. Users can create a group, add music files to that group, and add other users to have access to these music files. Each user only has access to the music files of a group he is a member. In this case, we can't set a one permission level to the user to access group X, Y and Z. He needs multiple permissions level. If is part of group X, Y, he will have access to music files from X and Y, not Z.

0

Hey, have you found a solution to your problem yet? I'm having a similar issue: I have a Cognito user pool with multiple users where each user is in one or more user groups. For each user group, there's a folder in my S3 bucket with the same name as the group and I want to give all users in this group access to the files in that folder. I'm looking forward to your response!

Lukas
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content