Reputation: 23
How to grant access only to user-specific resources (DynamoDB, S3) when calling a Lambda function from an API Gateway method using Cognito
I'm creating a serverless backend using AWS (Lambda, Cognito, API Gateway, DynamoDB, and S3).
I have a Users Table on DynamoDB and an API (Lambda and API Gateway) for accessing that data. I want to grant access to the table at row level, based on the Cognito user credentials.
How can I do this? Should I use IAM policies or should I check if the id from Cognito is equal to the DB Table row id inside the Lambda?
Upvotes: 2
Views: 631
Answers (1)
Reputation: 4480
You can use cognito to grant access to user specific data in both s3 and DynamoDb. The sub variable in your identity pool (different from the one in user pool) can be dynamically written into your authenticated role policy. So if you have the sub variable in your dynamodb document and as a prefix to your s3 object (basically "folder" name in which you keep files), you can use a single policy to grant access based on which user is logged in.
You can find the complete steps to do this in the following blog post.
Upvotes: 1
Related Questions
- How to limit the access to Lambda base on user by Cognito Lambda authorizer
- Best way to enable protected access to AWS S3 bucket with lambda authorizer or Cognito
- Run Lambda function with same permissions as user invoking API Gateway endpoint
- Authorizing access to specific resources
- How to make AWS Cognito User Data available to Lambda via API Gateway, without an Authorizer?
- Give Lambda fine grained access to DynamoDB based on Cognito Credentials
- How to get AWS Cognito user data inside a lambda function protected by a cognito authorizer on API gateway
- AWS: Restrict Cognito Authorized User to specific Lambda Functions
- How to implement authorization based on user property from Cognito User Pool (or DynamoDB)?
- AWS Lambda: Give Lambda same role as signed in user