How to grant group to resources using Cognito and IAM

Hello,

I understand that you would like to implement Cognito group membership based access to certain S3 resources.

Unfortunately, there's no policy variable that can be used to detect the user pool group to which a user belongs. If it suits your use case, you may use one of the below workarounds:

Option 1: This example shows how you might create an identity-based policy that allows Amazon Cognito users to access objects in a specific S3 bucket. This policy allows access only to objects with a name that includes cognito, the name of the application, and the federated user's ID, represented by the ${cognito-identity.amazonaws.com:sub} variable. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. [1]

Option 2: For your use case, you can utilize the cognito group itself to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of the group. [2]

Let's say you have a Cognito group named "Folder_A_Users" and the role attached to this group, let say "Folder_A_Role" has permissions to GetObject from this specific folder only. You can then set up Role Based Access Control in identity pool using "Choose role from Token". This will obtain the role from the identity token returned by the user pool and the authenticated user will be able to assume that role.

Alternatively, if you would not like to configure roles for groups on the user pool side, you can configure rules that will map different roles for different "cognito:groups" by using the "Choose role from rule" option in the Identity Pool. You can read in detail about these two options in [3].

Further, on the S3 bucket, you need to configure a bucket policy that will restrict access to the folders based on the IAM role assumed by the user. The bucket policy for restricting access to Folder_A to "Folder_A_Role" will be as follows:

{ "Version": "2012-10-17", "Id": "Policy1559937989640", "Statement": [ { "Sid": "Stmt1559937985466", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<Account_ID>:role/Folder_A_Role" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<Bucket_Name>/Folder_A/*" } ] }

Similarly you can add multiple roles and folders for each group type and restrict access. More about restricting access to S3 bucket based on IAM role is given in [4].

References

[1] Amazon S3: Allows Amazon Cognito users to access objects in their bucket - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

[2] Adding groups to a user pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html

[3] https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

[4] https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/