Serverless Framework AWS Fine-Grained Access Control

3
votes

I am attempting secure my AWS API such that DynamoDB rows can only be accessed by the corresponding authenticated Cognito user by implementing fine grained access control in my Serverless Framework config (serverless.yml)

See example of what I am attempting in the AWS Documentation

I have tried to convert the Cloudformation syntax to Serverless without success; when I try something like the following expression in my policy statement:

Condition:
  ForAllValues:StringEquals:
    dynamodb:LeadingKeys: ["${cognito-identity.amazonaws.com:sub}"]

I then get an error:

Invalid variable reference syntax for variable cognito-identity.amazonaws.com:sub. You can only reference env vars, options, & files. You can check our docs for more info.

Is this even possible in Serverless? Or is it Cloudformation and SAM only?

1
amazon-web-servicesaws-lambdaamazon-dynamodbamazon-cognitoserverless-framework
We're you able to find a solution for this? I am trying to do something similar. Thanks!Fostah

1 Answers

0
votes

It is possible in serverless. If I were you I will use AWS Lambda to verify the id_token which is sent to the user. In this scenario, you should first transfer the key to AWS Lambda function using Api Gateway or other methods. Then follow this guide to verify the token. The code can be found in: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

After verifying it you can add your code here:

 ...... 
if claims['aud'] != app_client_id:
    print('Token was not issued for this audience')
    return False
# now we can use the claims

# add your code here #

print(claims)
return claims