Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict S3 Object Access to Specific Cognito Users

I am working on an application that will manage access to purchased files that are stored in S3. I have files organized by product in S3, for example:

my-bucket
  ├── product-a
  │     ├── file-1
  │     ├── file-2
  │     └── file-3
  ├── product-b
  │     ├── file-1
  │     ├── file-2
  │     └── file-3
  └── etc...

I am also using Cognito to manage user identities and authentication. I would like to create an IAM role that all users will assume which will grant them access only to the files of products they have purchased. What would be the proper way to do this? I have read thru Cognito's documentation and I feel I am just not quite connecting the dots.

I see from this example, that I could provide each user access to their own folder in a bucket, but then I would have to copy the files to each user's folder, which seems both inefficient and prone to error.

{
  "Version": "2012-10-17",
   "Statement": [
   {
     "Effect": "Allow",
     "Action": ["s3:ListBucket"],
     "Resource": ["arn:aws:s3:::my-bucket"],
      "Condition": {"StringLike": {"s3:prefix": ["cognito/myapp/"]}}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket/myapp/${cognito-identity.amazonaws.com:sub}",
        "arn:aws:s3:::my-bucket/myapp/${cognito-identity.amazonaws.com:sub}/*"
      ]
    }
  ]
}

But I was hoping to create a policy that would grant a user access to the folder of product-a if and only if they had purchased that product, say using some flag that was contained in that user's Cognito Sync data.

Is this possible? Am I just not using the correct tools? I think this must be a common use-case.

like image 436
sethro Avatar asked Jul 18 '17 00:07

sethro


People also ask

How do I restrict Amazon S3 bucket access to a specific IAM user?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.

Which of the following can limit S3 bucket access to specific users?

Note: You can use a deny statement in a bucket policy to restrict access to specific IAM users. You can restrict access even if the users are granted access in an IAM policy. Using Amazon S3 Block Public Access as a centralized way to limit public access.

Which of the below allows you to restrict access to individual objects in an S3 bucket?

Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.


1 Answers

In my use case, this was possible because of the following:

  1. I upload a file to s3
  2. I have a lambda listening to S3 events that interprets this file created and creates an entry in DynamoDB (our app's database engine). However, this entry contains a url to access this file which is not the s3 url. Instead it's an API gateway url that proxies the request and has a custom lambda authorizer on it. This lambda authorizer then validates user access by looking at the cognito token and lets me add completely fine-grained access for other users whilst still letting the core user / owner manage the file using the S3 sdk client directly and with the correct cognito Identity roles attached to the bucket permissions.
  3. the user then requests this image with the Authorization cognito token header in the request, this is processed by API gateway and the relevant response is returned.
like image 121
Daniel Blignaut Avatar answered Oct 19 '22 19:10

Daniel Blignaut