I'd like to implement the following: a specific Cognito (authenticated) user must have access to a single S3 bucket.
What is the best way to achieve the above?
I have tried the following:
- Create Cognito User Pool with App integration
- Create Cognito Identity Pool, which creates a dedicated IAM role on autenticated users
My idea was to update the policy of the Identity-Pool-IAM role to impose restrictions on S3 buckets to specific users only. I would of course have to extend this policy every time I add a new Cognito user (no problem with this).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
],
"Condition": {
"StringLike": {
"cognito-identity.amazonaws.com:sub": "COGNITO_USER_SUB_UID"
}
}
}
]
}
AWS doesn't like the way the S3-related policy above is written. It returns:
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.
Question: am I taking the right approach? If so, what am I doing wrong? If not, how should I solve my (supposedly simple) requirement?
For whatever reason, all the examples I have found seem to restrict access to an S3 folder in a bucket rather than the bucket itself (see here or here).