How to dynamically update the policy of user(Cognito identity) from backend/lambda?

0

I am building an IoT solution using the IoT Core. The end-user will be using Mobile App and will be authenticated and authorized using Cognito.

I want to authorize users to allow iot:Publish and iot:Subscribe action only on the devices that the user owns.

The IAM Role attached to the Cognito Identity pool has only iot:Connect permission when the user is created. The User won't have any additional permission at this point.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}"
        }
    ]
}

Now, when the user finishes the device provisioning, I want to attach the inline Policy to Cognito identity of that user to authorize him to publish and subscribe to the shadow of that device. Let's assume the ThingName is Thing1 so the policy should be as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect"
            ],
            "Resource": "arn:aws:iot:us-east-1:1234567890:client/${cognito-identity.amazonaws.com:sub}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iot:Publish",
                "iot:Subscribe"
            ],
            "Resource": "arn:aws:iot:region:account-id:topic/$aws/things/Thing1/shadow/*"
        }
    ]
}

The user may keep adding new devices and I want to scale this policy to include resource ARNs of those devices.

This is an example of IoT Core, but my question is very generic to IAM policies. (e.g. the same can be applied to dynamically allow access to the S3 bucket folders)

So, here is my question:

  1. What is the best approach for dynamically adding or removing the inline policy granted to the Cognito identity?

  2. Can I use the STS service for updating/attaching the policy on my backend/Lambda when new Things are added or removed?

Note:

  1. I can use the Customer Managed Policy, but it is not the right approach for granting policies to federated users as per my knowledge.

  2. I know I can use the intelligent naming of the device as mentioned in this approach. But, I have a very basic requirement. https://aws.amazon.com/blogs/iot/scaling-authorization-policies-with-aws-iot-core/

No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions