How to grant access only to user-specific resources (DynamoDB, S3) when calling a Lambda function from an API Gateway method using Cognito

2
votes

I'm creating a serverless backend using AWS (Lambda, Cognito, API Gateway, DynamoDB, and S3).

I have a Users Table on DynamoDB and an API (Lambda and API Gateway) for accessing that data. I want to grant access to the table at row level, based on the Cognito user credentials.

How can I do this? Should I use IAM policies or should I check if the id from Cognito is equal to the DB Table row id inside the Lambda?

1
amazon-web-servicesaws-lambdaamazon-dynamodbaws-api-gatewayamazon-cognito
This sounds like it might be multiple questions. Can you try to clarify what you're asking? Are you asking how to control access to S3 objects using IAM policies? Are you asking how to control access to DynamoDB at a row level? Are you asking how to use Cognito with API Gateway? Are you asking how to get the identity of a user using Cognito?Matthew Pope
I modified my question. I want to control access to DynamoDB at a row level, but I don't know if I must use IAM policies or I can just check if the id from Cognito is equal to the table row id.Irving Ulises Puga Gutiérrez
You can use cognito. I'll post full answer in a bitNinad Gaikwad

1 Answers

1
votes

You can use cognito to grant access to user specific data in both s3 and DynamoDb. The sub variable in your identity pool (different from the one in user pool) can be dynamically written into your authenticated role policy. So if you have the sub variable in your dynamodb document and as a prefix to your s3 object (basically "folder" name in which you keep files), you can use a single policy to grant access based on which user is logged in.

You can find the complete steps to do this in the following blog post.

https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/