DynamoDB - Fine grain control scoped to Cognito User

Question

I have a table that will contain rows of data for all users of the app. But I only want User A to access rows added by User A, User B to access User B's rows, etc. So its essentially a user-scoped database.

IAM Policy

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:GetItem",
                "dynamodb:DeleteItem",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:0000000:table/my-table",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

```

I believe the "cognito-identity.amazonaws.com:sub" for my user is: `us-east-1:XXXXX`

My `id` for rows is `us-east-1:XXXXX#uuid1` but `us-east-1:XXXXX` cant access it. I get: AccessDeniedException

However, the following condition worked:

```
"Condition": {
  "ForAllValues:StringEquals": {
    "cognito-identity.amazonaws.com:sub": [
      "us-east-1:XXXXX"
    ]
  }
}
```

jsonc · Answer

Hi.  From a quick glance, the policy looks to be correct.

Have you done the following as well:
* Use the Cognito ID as the hash key for DynamoDB
* Validated proper access to the KMS Key (If used) for the User.

How are you connecting the users to access the DynamoDB Table?  Are you using a role that grants access to a Cognito Identity Provider and do you have a user pool group set up for your Cognito users in Cognito?

DynamoDB - Fine grain control scoped to Cognito User

Add your answer

Relevant content