Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to restrict access to resources accessed via API Gateway using Cognito Custom Attributes

0

I have an app with a Cognito user base that has a custom attribute called "Tenant". I want to use this attribute to help me control the dynamoDB tables that are relevant to that user's tenant, so that user can only see tables "belong" to that tenant.

My app calls an API Gateway resource, which then uses a lambda to make a PutItem request to my DynamoDB Table. What I want to do, is to use the value of my "Tenant" custom attribute to control what tables the cognito user should have access to. I have tried doing this via Principal tags, by adding a mapping under the attributes for access control table in the user pool's relevant identity pool's identity provider. But it seems that is not possible because when the API Gateway calls the Lambda the values in those Principal tags is gone as the Lambda does not seem to have access to the calling session.

I have a condition such as below in my Lambda just as proof of concept, but I am getting an unauthorized error, I assume from the limitation I mention above.

"Condition": {
	"StringEquals": {
		"aws:PrincipalTag/TenantValue": "myTenantValue"
	}
}

Is my use case above possible? How do I restrict access for an API invoked lambda based on the attributes of the cognito user calling the API Gateway?

Topics
ServerlessFront-End Web & MobileComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon API GatewayAmazon CognitoAWS Identity and Access ManagementAWS Lambda
Language
English
asked 2 years ago629 views
1 Answer
0

You can Restrict API Gateway Access Based on Cognito Custom Attributes (like "Tenant"), you can implement the following approach:

  • Use API Gateway with Cognito Authorizer: Ensure that your API Gateway uses a Cognito User Pool authorizer to authenticate and authorize requests.

  • Pass Cognito User Attributes to Lambda: Extract custom attributes (like "Tenant") in your Lambda function from the JWT token provided by Cognito.

  • Implement Authorization Logic in Lambda: Use the extracted custom attribute to control access to DynamoDB tables within your Lambda function.

answered 2 years ago
  • DinoM
    2 years ago

    Thanks for your answer Basel. I have the idea of implementing the auth logic myself using the custom attribute as a backup; I was kind of hoping that wouldn't be the answer as utilising AWS' native IAM policies would be ideal from a security standpoint I imagine. Is there no way to get the Lambda (when called by a cognito user via API Gateway's cognito authorizer) to retain the Principal Tags from the calling user? Then at the very least I can write a role based policy and control what the Lambda has access to using the attributes of the calling user.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content