Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I have dynamic User specific permissions using AWS IAM / Cognito?

I'm attempting to develop an application architecture almost exclusively on top of AWS services.

This application has both User and Organization "entities". As one might except, a User may be an admin, role-x or role-y of one or more organizations. (role-x and role-y are just placeholders for some role with some set of specific permissions. A User may also be standalone (that is, not have a role on any Organization).

Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like "mission statement", "business address" and so on.

An admin of an organization would be able to edit all organization fields, whereas a role-x might only be able to update "mission statement" while reading all other fields.

Since I mentioned that a single user may have roles on many different organizations, that might look something like:

user1:
    organizations:
        123: 'admin'
        456: 'role-x'
        789: 'admin'

It's also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.

This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.

I've been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets - but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.

How might one go about implementing this type of permission system on AWS?

(If policy definitions need to be updated with specific Identities (say, for an Organization), can that reliably be done in a programatic way - or is it ill-advised to modify policies on the fly like that?)

like image 627
DJSunny Avatar asked Jan 19 '16 18:01

DJSunny


People also ask

What are the different types of permissions used in AWS IAM?

To help you understand the permissions defined in a policy, each AWS service's actions are categorized in four access levels: List, Read, Write, and Permissions management. You can select a predefined policy managed by AWS or create your own using the policy generator.

Which IAM entity can be used for assigning permissions to multiple users?

You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. For example, you could have a user group called Admins and give that user group the types of permissions that administrators typically need.

What are the two types of access that can be granted to a user AWS?

You can use two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. If you are new to using policies, we recommend that you start by using AWS managed policies. Customer managed policies – Managed policies that you create and manage in your AWS account.

What type of policies can grant permissions to IAM users?

Allow policy. You can grant roles to users by creating an allow policy, which is a collection of statements that define who has what type of access. An allow policy is attached to a resource and is used to enforce access control whenever that resource is accessed. An allow policy consists of a list of role bindings.


2 Answers

The above answer is outdated. AWS has added Cognito-Groups recently. That provides more flexibility

You can use technique described in the article to achieve that: https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/

like image 55
Luke Avatar answered Sep 17 '22 21:09

Luke


Unfortunately the kind of permission system you are trying to implement is not possible with Cognito at the moment. With Cognito you can currently create unique identities for your users in an identity pool. Users can authenticate using any external provider such as Facebook, Amazon, Google, Twitter/Digits or any OpenId Connect Provider. Users can also authenticate through your own backend authentication process. After the user authenticates, Cognito creates a unique identity for that user. There’s a concept of an identity, but there’s no concept of groups. All users/identities within a one identity pool can get credentials from roles associated with that identity pool. Currently you can specify two roles: One role for authenticated identity and one role for unauthenticated identity. There’s no such feature at the moment where you can specify multiple groups for each identity and specify role on that group.

For more information on Cognito, you can refer to

https://aws.amazon.com/cognito/faqs/ http://docs.aws.amazon.com/cognito/devguide/getting-started/

like image 39
patanjal Avatar answered Sep 17 '22 21:09

patanjal