I am working on an application that will manage access to purchased files that are stored in S3. I have files organized by product in S3, for example:
my-bucket
├── product-a
│ ├── file-1
│ ├── file-2
│ └── file-3
├── product-b
│ ├── file-1
│ ├── file-2
│ └── file-3
└── etc...
I am also using Cognito to manage user identities and authentication. I would like to create an IAM role that all users will assume which will grant them access only to the files of products they have purchased. What would be the proper way to do this? I have read thru Cognito's documentation and I feel I am just not quite connecting the dots.
I see from this example, that I could provide each user access to their own folder in a bucket, but then I would have to copy the files to each user's folder, which seems both inefficient and prone to error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-bucket"],
"Condition": {"StringLike": {"s3:prefix": ["cognito/myapp/"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/myapp/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::my-bucket/myapp/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
But I was hoping to create a policy that would grant a user access to the folder of product-a
if and only if they had purchased that product, say using some flag that was contained in that user's Cognito Sync data.
Is this possible? Am I just not using the correct tools? I think this must be a common use-case.
You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.
Note: You can use a deny statement in a bucket policy to restrict access to specific IAM users. You can restrict access even if the users are granted access in an IAM policy. Using Amazon S3 Block Public Access as a centralized way to limit public access.
Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.
In my use case, this was possible because of the following:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With