Can I have dynamic User specific permissions using AWS IAM / Cognito?

Question

I'm attempting to develop an application architecture almost exclusively on top of AWS services.

This application has both User and Organization "entities". As one might except, a User may be an admin, role-x or role-y of one or more organizations. (role-x and role-y are just placeholders for some role with some set of specific permissions. A User may also be standalone (that is, not have a role on any Organization).

Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like "mission statement", "business address" and so on.

An admin of an organization would be able to edit all organization fields, whereas a role-x might only be able to update "mission statement" while reading all other fields.

Since I mentioned that a single user may have roles on many different organizations, that might look something like:

user1:
    organizations:
        123: 'admin'
        456: 'role-x'
        789: 'admin'

It's also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.

This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.

I've been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets - but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.

How might one go about implementing this type of permission system on AWS?

(If policy definitions need to be updated with specific Identities (say, for an Organization), can that reliably be done in a programatic way - or is it ill-advised to modify policies on the fly like that?)

Answer 1

The above answer is outdated. AWS has added Cognito-Groups recently. That provides more flexibility

You can use technique described in the article to achieve that: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

Answer 2

Unfortunately the kind of permission system you are trying to implement is not possible with Cognito at the moment. With Cognito you can currently create unique identities for your users in an identity pool. Users can authenticate using any external provider such as Facebook, Amazon, Google, Twitter/Digits or any OpenId Connect Provider. Users can also authenticate through your own backend authentication process. After the user authenticates, Cognito creates a unique identity for that user. There’s a concept of an identity, but there’s no concept of groups. All users/identities within a one identity pool can get credentials from roles associated with that identity pool. Currently you can specify two roles: One role for authenticated identity and one role for unauthenticated identity. There’s no such feature at the moment where you can specify multiple groups for each identity and specify role on that group.

For more information on Cognito, you can refer to

https://aws.amazon.com/cognito/faqs/ http://docs.aws.amazon.com/cognito/devguide/getting-started/