Amazon S3 bucket permission for unauthenticated cognito role user

11
votes

I have setup an unauthenticated role under Amazon Cognito Identity pool. My goal is that guest users of my mobile app would be able to upload debugging logs (small text files) to my S3 bucket so I can troubleshoot issues. I notice I would get "Access Denied" from S3 if I don't modify my S3 bucket permission. If I add allow "Everyone" to have "Upload/Delete" privilege, the file upload succeeded. My concern is someone would then be able to upload large files to my bucket and cause a security issue. What is the recommend configuration for my need above? I am a newbie to S3 and Cognito.

I am using Amazon AWS SDK for iOS but I suppose this question is platform neutral.

Edit: My policy is as follows:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:GetUser",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:DeleteObject",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": ["arn:aws:s3:::import-to-ec2-*", "arn:aws:s3:::<my bucket name>/*"]
    }
  ]
}
3
amazon-s3amazon-cognito

3 Answers

6
votes

You don't need to modify the S3 bucket permission, but rather the IAM role associated with your identity pool. Try the following:

  1. Visit the IAM console.
  2. Find the role associated with your identity pool.
  3. Attach a policy similar to the following to your role: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": ["arn:aws:s3:::MYBUCKET/*"] } ] }
  4. Replace MYBUCKET with your bucket name
  5. Access your bucket as normal from your application use the iOS SDK and Cognito

You may want to consider limiting permissions further, including ${cognito-identity.amazonaws.com:sub} to partition your users, but the above policy will get you started.

1
votes

As @einarc said (cannot comment yet), to make it works I had to edit role and Bucket Policy. This is good enough for testing:

Bucket Policy:

{
  "Id": "Policy1500742753994",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1500742752148",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::admin1.user1",
      "Principal": "*"
    }
  ]
}

Authenticated role's policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}
0
votes

The answer above is incomplete as of 2015, you need to authorize BOTH the role AND the bucket polity in S3 to authorize that Role to write to the bucket. Use s3:PutObject in both cases. The console has wizards for both cases