How is simple Cognito User Pool Authorization supposed to work?

Question

I've been reading a lot of Cognito documentation and blogs and have not wrapped my head around how _authorization_ for Cognito user pool users is supposed to work for a reasonably simple use case. Imagine the I have a browser application for sharing photos and videos.
- A Cognito User pool forms the directory of app users, some of which are normal users that can upload and view photos, and some are 'premium' or something, who can also upload videos.
- An API Gateway Rest Api has a Cognito authorizer protecting endpoints like `GET /photos/{photoId}` and `POST /videos/`
- A web browser app that authenticates users with Cognito and interacts with the Rest Api `/photos` and `/videos` resources.

With that kind of set up, where/how are we supposed to authorize normal users to access the `/photos` methods but not the `/videos` endpoints?

Accepted Answer

You can use Cognito Groups to separate the two types of users/access then assign each group to an IAM role, one for photo access and the other for video. The IAM policy will need to have a conditional statement to allow/deny access to these two groups. The challenge will be how do you assign users to groups in the registration process automatically. If you have a form that allows users to request access to videos for example you can create an approval workflow then have a Lambda function update the group with the new users.

Here's a reference:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

Here's a reference:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

Answer

In case you are looking for specific secure folder access with users using authentication, you can check NirvaShare at https://aws.amazon.com/marketplace/pp/prodview-hcqszucfxsvye

How is simple Cognito User Pool Authorization supposed to work?

Relevant content