Hello,
I am looking at client side encryption.
How do i give individual cognito users access to individual kms keys since a group based approach is not scalable?
I am unsure how to allow a user to access a kms key for encrypt/decrypt. Previously, on other projects i have added the kms:encrypt/kms:decrypt permissions for a particular kms arn to a authenticated user pool identity. Each user pool belonged to a different institution and all was well. However, i have a new problem where fine grained kms permissions are required.
If i have a cognito user, how can i give them specific permission to use the kms:encrypt/kms:decrypt for a particular KMS arn?
One approach would be to create an IAM role with kms:encrypt/kms:decrypt permissions and attach it to a Cognito group, then add/remove the users to that group. This seems naive and not scalable.
I am looking to first give each user their own KMS key for a "project", this user is the project owner. If they have a two sub users, i want them to be able to encrypt their own data which is only visible to them and the project owner.
Let's say we have one project owner and two sub users. This would require 3 kms key arns, the project owner has permissions to access all three and the sub users only have one each. This way, the data can be decrypted only by the users of the application given their scope.
However, there is a hard limit of 10,000 groups per user pool. This seems a bit limiting in the long term.
What is the right way to do this?
AWS OFFICIALUpdated a year ago
That's an interesting answer and i will explore it. Is it possible to specify more than one user using this method?
This looks like it could work! Thank you so much!
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/