How can I allow cognito users to access their own S3 folders

Question

What I want is to let groups (families) of aws cognito users to read/write to S3 buckets which should be only available for those families of users.

I created a user with boto3 python library. Now I need to grant this user access to their folder in the bucket.

I found a few posts which suggested to create bucket policy like this:

policy = {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Grant user access to his folder",
        "Effect": "Allow",
        "Principal": "*",
        "Action": ["s3:PutObject"],
        "Resource": "arn:aws:s3:::BUCKET/users/${cognito-identity.amazonaws.com:sub}",
        "Condition": {
            "StringLike": {
                "cognito-identity.amazonaws.com:sub": [
                    "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
                    "us-east-1:yyyyyyyy-xxxx-xxxx-xxxx-xxxxxxxxxx"
                ]
            }
        }
    }
]}

But it turns out we can not specify "cognito-identity.amazonaws.com:sub" in bucket's policy condition.

Any help is highly appreciated.

Answer 1

I think the policy you have above needs to be in the IAM role for an authenticated user, not part of a bucket policy.