By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using IAM for individual client access

0

Hi. Im currently working on a project where we will have different organizations signing up to our service. Each organization will store images and files on S3 and I want to provide a fairly secure solution. So I'm wondering if it would be a good solution to create a separate IAM user for each account with a limited permission granting them access to only their subfolder of our S3 buckets. Or is there a better way to do so ?

Best regards Dennis

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
DennisM
asked 8 months ago218 views
2 Answers
0

Hi Dennis. When your project scales, managing a large number of IAM users can become complex and cumbersome.

I think creating a Cognito identity pool and controlling permissions based on user attributes may also be a solution.

Here is the AWS example document: Using attributes for access control policy example

Regarding the user's login, I think that an identity pool (federated identity) external identity provider can be used, and the specific configuration documents are as follows: Identity pools (federated identities) external identity providers

Hope my answer can be helpful to you :D

WangQinYang
answered 8 months ago
  • DennisM
    8 months ago

    Hi Wang. Thank you for the reply. I will take a look at Cognito to see if that would be a better solution. We have our own login flow, so would that work ? Or does it require generating identities for each organization ? And would it also have the same possibility to limit access to organization specific subfolders on S3 ?

  • WangQinYang
    8 months ago

    Sorry for the late reply, I did not receive comment notifications. Regarding your question, you don't have to set up identity for each organization. If your existing authentication method can use SAML and OpenID, it can be plugged in directly, using attributes of an organization's identity as variables in the identity pool role policy to dynamically grant permissions to the organization. For example, if your user attribute has an attribute named "organization", you can specify it in the Resource of the role policy like this: "arn:aws:s3:::${aws:PrincipalTag/organization}/*".

0

I'd not grant access via IAM Users, you can assign permissions to a bucket to allow another account to place items in the bucket. It'd be better to allow that.

https://repost.aws/knowledge-center/cross-account-access-s3

profile pictureAWS
EXPERT
Rob_H
answered 8 months ago
  • DennisM
    8 months ago

    Hi Rob. Thank you for the reply. In this scenario it's application organizations that would get a unique IAM user with a strict policy to only be able to get and put objects in a subfolder dedicated to their organization. So it's not a case of multiple AWS accounts having access to the bucket. As I can read from the other reply, Cognito may be a solution dedicated for this purpose ? I just want to ensure that the individuel organization has the least neccessary permissions to S3 and will not be able to accidentaly access files belonging to another organization, and it has to be handled programatically.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content