Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 bucket per tenant approach. Can I assign different IAM roles for diefferent users in the amplify project?

Please let me know if this a valid approach or I am missing something fundamental.. **Requirement**: - I need to be able to restrict each tenant users from accessing each other s3 files - and be able to measure each tenant space usage in the s3. **Solution I think to implement**: Upon user signup, we check if this is a sign up by invitation to already existing tenant space or a new registration - if it's a new tenant than we register him in a custom dynamodb table and create an s3 bucket for him - if it's a new user in existing tenant we we only adding him to the IAM Role that can access the tenant s3 bucket **Details**: I currently am using cognito custom attribute to save tenant ID (it's configured to not be changeable by the user itself) and struggle to figure out how I can affect the role mapping in the cognito Identity pool to implement the above logic. Please give me directions to dig further or advises on the overall approach in general. Some of the ideas are taken from this article https://medium.com/@dantasfiles/multi-tenant-aws-amplify-method-2-cognito-groups-38b40ace2e9e and it also suggests to use cognito dynamic groups to differ tenants and it seems to resolve the s3 issue as well, but with dynamic groups sync events won't work, right? > Known limitation: Real-time subscriptions are not supported for dynamic group authorization. https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access There is also this question https://repost.aws/questions/QUW1WibDWjQd2rOll4mDiPMA which suggest to use a lymbda and presigned s3 urls to regulate the access to s3 files based on the tenant logic
1
answers
0
votes
61
views
Arsen
asked a month ago
2
answers
0
votes
77
views
asked a month ago