Amplify Storage Policy Based Access Control to S3 Buckets to Put Objects
madhu chenna
IT Professional having 20 years of experience with a passion building scalable and high-performing web applications and owning application / product development end-to-end, leading with the right design and development
Use Case Scenario: Any Authenticated user should be able to authorize upload files to his / her owned bucket. No unauthorized users have access to buckets to upload content.
Problem Statement: To make it simple, let us take two users "userone" and "usertwo".
· Userone is a verified user and he is part of part of cognito user pool. There is bucket named userone and userone only should be authorized to upload files to userone bucket.
· Usertwo is a verified user and he is part of part of cognito user pool. There is bucket named usertwo and usertwo only should be authorized to upload files to usertwo bucket.
Both have same auth role but have different policies which restricts access to their own bucket. I named buckets again their usernames for a simplicity purpose.
Demo Access: For demo purpose I created two users
UserName: userone Password: passwordone
UserName: usertwo Password: passwordtwo
userone has access to upload objects to userone bucket likewise usertwo has access to upload objects to usertwo bucket. I exposed both buckets as a static website you can see the changes.
Login to system using below link and make changes to body and check the changes using static website URLs provided below.
Deployment Setup:
Solution: ·
- Create roles in IAM
- Create Users and Groups in Cognito User Pool
- Create Identity and attach authentication provider in Cognito Identity Pool
- Create policies to give permissions to respective bucket put object and assign to user.
Infrastructure readiness: We have created User Pool, Identity Pool, Roles, Users in pool and assigning programmatic write access to user to common storage in private, public and protected mode in our last article. If you did not get a chance to look into it, please have look at it by using below link
Today we will see how to restrict access to authenticated users to specific buckets using public mode.
Implementation: Create policy for each bucket and assign it to auth role in Identity and Access Management Service. For example for userone bucket to give pub objects permission for userone user.
Like wise we have to assign policies for rest all users and respective buckets.
From the user interface once, user authenticated
async signIn(username, password) {
try {
const user = await Auth.signIn(username, password);
this.setState({signedUserName: user.username});
console.log(user);
this.showWelcome(user.attributes["custom:firstname"], user.attributes["custom:lastname"]);
} catch (error) {
console.log('error signing in', error);
alert(error.message);
}
}
upload(){
let bucketname = this.state.signedUserName;
Storage.configure({
AWSS3: {
bucket: bucketname,
region: 'us-east-1'
}
});
Storage.put('index.html', this.state.htmlbody, {
contentType: 'text/html'
})
.then (result => console.log(result)) // {key: "test.txt"}
.catch(err => console.log(err));
}
Conclusion:AWS Cognito allows us to have a fine-grained control over the AWS resources. Cognito User pool with Users, Groups, and IAM Roles in place, provides the administrators an ease of use in assigning users the necessary privileges and authenticating the same. On the other hand, Cognito Identity pool restricts the logged in users on what to do and what not to do by monitoring the identities and providing temporary access for the AWS resources.
Scope for improvement in current approach: Our current approach might work fine but if users and their respective buckets are increasing down the lane it will be troublesome to maintain multiple policies and it will turn as maintenance headache. So as an alternative instead of using polices we can use lambda function to copy files from common bucket private folders to particular user specific public bucket. I will explain that process in my next article. See you soon 😊