AWS S3 bucket policy to allow access to Cognito users

Question

I want to create a S3 bucket policy that can prevent public access but only allows who sign up my app thru Cognito to be able to upload object thru app.

Current block public access setting:

Current bucket policy I have:

{
    "Version": "2012-10-17",
    "Id": "Policy1593320409523",
    "Statement": [
        {
            "Sid": "Stmt1593320397284",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::358110801253:role/Cognito_katebUnauth_Role",
                    "arn:aws:iam::358110801253:role/service-role/transcribe-role-k5easa7b",
                    "arn:aws:iam::358110801253:role/Cognito_katebAuth_Role"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::va-raw-audio-to-transcribe/*",
                "arn:aws:s3:::va-raw-audio-to-transcribe"
            ]
        }
    ]
}

Answer 1

Amazon S3 buckets are private by default. Thus, there is no need to "restrict" access. Instead, select an appropriate way to "grant" access to desired users.

When users authenticate via AWS Cognito, the are provided credentials that are linked to an IAM Role. Therefore:

• Do not assign permissions via a Bucket Policy - This is normally used to grant public access to all users
• Instead, add the permissions to the IAM Role used by Cognito for those authenticated users

You have listed 3 roles in your question. Therefore, add appropriate permissions to each of those 3 IAM Roles so that they can access the desired bucket(s).

Also, be very careful about the permissions you grant. The policy in your Question is granting s3:*, which means the users can delete all objects and can even delete the bucket itself! Always grant minimal permissions so that they have sufficient access, but no more than required.

For example, if you only want to allow them to upload, they would only need s3:PutObject permission.