Fine-grained access control to sub-folders in S3 buckets with AWS Cognito

Question

I have a private S3 Bucket that contains a lot of folders (currently 1000 folders). The amount of folders changes (new ones are added, old ones deleted). Every customer has to register and log in to the application, which uses AWS Cognito, to access those folders over a fronted. A user can only access specific folders within the S3 Bucket, it could be 10 folders, but also all of them.

In the application, an admin user can grant access to a folder for a user. Those permission need to be stored somewhere (like DynamoDB)

User A: can access folder-a, folder-b
User B: can access folder-b, folder-c
User C: can access folder-c

How should it work:

- A user (logged in) sends a request to: https:///some-folder/some-file
- only if the user has the required permissions to 'some-folder' the file is returned

What doesn't work:
- I cannot create Groups or Roles for each folder since there are too many
- I cannot use the users sub as a condition, since the folder name could be anything and not a users sub (like here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html)

HS · Answer

> A user (logged in) sends a request to: https:///some-folder/some-file

Since your authorization need some additional information from external DynamoDB other than your Cognito tokens (i.e., access token or ID token), it is not feasible to use IAM policy (IAM role or bucket policy) to grant access permission.

Instead, you need to create an API to authorize the request (based on tokens and data from DynamoDB). If the request is authorized, you generate a presigned URL and redirect users to that URL with 302 response. Otherwise, you return client errors like 403 or 401.

Fine-grained access control to sub-folders in S3 buckets with AWS Cognito

Add your answer

Relevant content