Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to restrict AWS Cognito users from taking certain actions?

Tags:

amazon-web-services

amazon-iam

amazon-cognito

multi-tenant

Help is required in the following problem we're facing 😔

Any tip would be much appreciated!

Details and environment:

  1. A multi-tenant application that aims to provide a dedicated tenant per customer (organization), in order to achieve full separation.
  2. AWS Cognito user pool as my users' datastore and authentication provider.
  3. an "AWS Cognito user pool" per customer (org).
  4. Role management - based on the built-in user pool groups. Group per role and the server-side verifies that a user's access token includes a group name in it's embedded group's list.

So far so good and everything is working as expected, using AWS Amplify's SDK, for the client side's implementation. Amplify performs well and allows me to do whatever I want. The server verifies group belonging etc.

The problem:

I want to restrict non-admin users (that doesn't belong to the "admin" group) from performing certain Cognito actions via Amplify. 2 Examples:

  1. I want to disable non-admin users' ability to modify a specific attribute's value, via Amplify.
  2. I want to disable non-admin users' ability to modify MFA settings for themselves, via Amplify.

The actual problem started when I wanted administrators to be able to set MFA (enable/disable) for other users, but in Cognito (as I understand it) only a user can set his own MFA settings.

What I saw and already tried:

  1. Set read/write permissions for user attributes. So the specific attribute I want to protect is modifiable only via API calls with developer credentials. That way, admins can call my server to ask for attribute modification. The server verifies the role by a group belonging according to the access token and calls Cognito API. The problem with that solution is that it covers only the attribute modification scenario.
  2. Create an AWS Cognito identity pool for each of the user pools. For every group in every user pool, create an AWS IAM role with a policy that would restrict or allow the wanted behavior. The could actually work. The problem with that solution is that it feels like a super-duper overkill, plus it requires me to create an extra identity pool and an IAM role for each user pool. It means that every new customer that joins the service, would require (1) user pool, (2) Cognito client application, (3) identity pool and (4) IAM Role (instead of just a user pool and Cognito client app). Essentially, implementing this solution.

The real question:

Can I restrict users in a certain group from performing actions on themselves, such as disabling the MFA (even that the user-pool's MFA is set to "Optional")?

Thank you all so much! any help would be appreciated!

like image 257
Eliran Shem Tov Avatar asked Nov 28 '19 13:11

Eliran Shem Tov

People also ask

How do I add a policy to Cognito?

To do so, log in to the IAM Console . Then select Roles, and select a role. The policies attached to the selected role are listed in the Permissions tab. You can customize an access policy by selecting the corresponding Manage Policy link.

How do I customize my Cognito UI?

To specify app UI customization settingsSign in to the Amazon Cognito console . In the navigation pane, choose User Pools, and choose the user pool you want to edit. Choose the App integration tab. To customize UI settings for all app clients, locate Hosted UI customization and select Edit.

How do you use Cognito without amplify?

Is there a way to use Cognito service without Amplify libraries? Another approach that you can do, is to use Amazon Cognito as an OAuth server. When you create an Amazon Cognito Hosted UI Domain, it provides you an OAuth 2.0 compliant authorization server.

What is client secret in AWS Cognito?

A client secret is a fixed string that your app must use in all API requests to the app client. Your app client must have a client secret to perform client_credentials grants. You can't change secrets after you create an app. You can create a new app with a new secret if you want to rotate the secret.

1 Answers

Well... After long research, we have come to the understanding that there is no proper right way. Every possible solution has its own pros and cons. A consultant meeting with AWS's experts taught us that:

Options Overview:

  1. [Server Side Only] - Solution #1 that I proposed is exactly as described. Drawbacks are the same. It could work, and access to user-attributes will be restricted. Any other action that another client would make will not be blocked.
  2. [Identity Pools] - Solution #2 that I proposed is the most accurate one. Yet I described it with one big mistake: one identity-pool can serve multiple user-pools! So essentially, we could create only one IAM role and one identity-pool per app's role. Then we match every user-pool we want to that same identity-pool and when introducing a new role to the app - just create a new group in the user-pool and match it to the IAM role. This solution is not as complicated as thought, and it would definitely do the trick. As a bonus, you'll get the ability to control and allow access to different AWS services. That being said, it still requires management and effort.
  3. [Post-Auth Lambda] - Solution #3 that was not mentioned here, and I started to work on a day after posting this post. I blocked the write permissions of a new boolean custom attribute called "MFA". It indicates the desired MFA configuration for the user. Only a server could edit its value (and users with the admin role will have access to the server's API endpoint that can modify it). We've deployed a lambda function that would be triggered after successful authentication (post auth trigger in Cognito user-pool). It would verify a match between the desired and current MFA configurations for the authenticated user. If there is a mismatch, throw the user out because he did something that is not allowed.

*To be exact, we created one more custom attribute called "mfa_status" and it is set to true after the user has set it's MFA configurations. The lambda checks if both MFA and mfa_status are true and the real current MFA Configurations are false. if this is the case - the user is thrown out.

The Chosen One:

The solution we picked eventually is #3 (Post-Auth lambda) as it is the most detached solution. It does not require any mix with our server or client's code, any special configurations that are specific to a user pool and it still allows us to keep working with the Cognito's Amplify SDK as a client.

Thank you all for your time, I hope this post would help someone in the future.

like image 143
Eliran Shem Tov Avatar answered Sep 27 '22 17:09

Eliran Shem Tov
Sign in to Comment

Related questions

How to set object key-values in AWS API Gateway Mapping Template
How can I convert Amazon Transcribe json response to a caption format (srt, webvvt, etc)?
Code build is failed with Error while executing command: npm install. Reason: exit status 127
Terraform - how to use for_each loop on a list of objects to create resources
SQS maxNumberOfMessages
Amazon Resource Name (ARN) for AWS SimpleDB
Amazon EC2 payment transparency, breaking the free usage tier?
Can IAM role temporary credentials be used in cloudformation templates?
Group HITs into batches in amazon mechanical turk with boto?
cURL error 35 - Unknown SSL protocol error in connection to api.rkd.reuters.com:443
'unicode' object has no attribute 'keys'
AWS Elastic Beanstalk NodeJS and logs
CloudFormation - reference resource as default value for Parameter
Changing the name of a Load Balancer on AWS Console
AWS Cloudwatch Event putTargets not adding Lambda event sources
AWS SQS Asynchronous Queuing Pattern (Request/Response)
AWS Elasticsearch VPC connectivity
How to read JSON file present in S3 using java
AWS Sagemaker - Install External Library and Make it Persist
Schedule AWS ECS Fargate to Start and STOP Tasks

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!