By using AWS re:Post, you agree to the Terms of Use

Unauthenticated Cognito Profile restriction



We are looking for recommendation that can help on the below part:

We have integration of Salesforce with SDK part where Cognito Profile is leveraged for S3 bucket access. Now we looking for thing that ensure users are authenticated and authorized to only intended functions and information from the bucket.

Also, like to understand how can be Policy and IAM Role(Auth_Role and UnAuth Role) used to restrict the access ? Or they have some other purpose.


1 Answer


If I understand your question, you are looking for some guidance on Role-based control access This document could help you with that.

As you will see on that link, you can map either authenticated or unauthenticated users and allow them to assume a specific role. You can specify default IAM roles for authenticated and unauthenticated users using cognito. When Amazon Cognito creates a token, it sets the **amr ** of the token as either "unauthenticated" or "authenticated", and in the authenticated case will include any providers used during authentication.

It is important to add the appropriate trust policy for each role so that it can only be assumed by Amazon Cognito for authenticated users in your identity pool. Here is an example from the article of such a trust policy:

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Federated": ""
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "": "us-east-1:12345678-corner-cafe-123456790ab"
        "ForAnyValue:StringLike": {
          "": "authenticated"

This policy allows federated users from to assume this role. Additionally, the policy restricts the **aud **of the token, in this case the identity pool ID, to match the identity pool (as I mentioned before in the authenticated case will include any providers used during authentication). Finally, the policy specifies that one of the array members of the multi-value **amr ** claim of the token issued by the Amazon Cognito GetOpenIdToken API action has the value authenticated.

Take care and stay safe, Best regards,


answered 8 months ago
  • Thank you for the answer, Igvir. We appreciate it.

    AWS-User-0219409, Thank you for using re:Post. Let us know if this answers your question. If this solved your issue, please remember to click on the "Accept" button to let the community know that your question is resolved. This helps everyone. Thank you in advance.

  • Hi Igvir, Thanks for your reply.

    Actually, I'm looking for something that is related to leverage of authentication of Cognito profile for S3 bucket access which allows anonymous access to the S3 bucket.

    We have integration with Salesforce via SDK, where we are looking for authentication of Cognito profile before accessing the AWS S3(bucket) resource. Any help on this would be really appreciated.


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions