Item-level access for DynamoDB based on PK and cognito user pool username

[ermrg]

Is this related to another service?

DynamoDB, Amplify, API Gateway, Cognito

Describe the feature you'd like to request

Objective
Create a Policy to provide item-level access to the dynamodb using PrincipalTag and User Pool username. Users can access data only if the PK of dynamodb contains the User’s username.

Services
Amplify, Cognito user-identity pool, API Gateway, DynamoDB, Lambda

Describe the solution you'd like

1. Add default mapping in the Identity pool. This will map the user pool attribute to the PrincipalTag which we can use in the Policy condition.

2. Create a trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ]
        }
    ]
}

3. Create an item-based policy

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Get*",
                "dynamodb:BatchGetItem",
                "dynamodb:List*",
                "dynamodb:Describe*",
                "dynamodb:Scan",
                "dynamodb:Query"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev",
                "arn:aws:dynamodb:us-east-x:xxxxxxxxxx:table/customers-dev/index/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "ForAllValues:StringLike": {
                    "dynamodb:LeadingKeys": "*${PrincipalTag/username}*"
                }
            }
        }
    ]
}

Describe alternatives you've considered

Need to be able to add a policy that will allow items in dyamodb based on Cognito user pool username

Additional context

Error:
ClientError: An error occurred (AccessDeniedException) when calling the Query operation ... is not authorized to perform: dynamodb:Query on resource .... because no identity-based policy allows the dynamodb:Query action

[anacierdem]

I was unable to achieve the same thing. Tried both AWS_IAM and AMAZON_COGNITO_USER_POOLS authentication but for some reason the PrincipalTag is not effective.

[brabim-niural]

I am facing the same. Any update on this issue?

[haverchuck]

Marked as a feature request.

[beevor]

@haverchuck Any update on this? This seems to be a pretty basic security pattern.

[AllanZhengYP]

Hi @beevor

There's no update on the feature request yet. Amplify data category currently uses a different approach(owner attribute) than identity pool tag principals/attributes.

To help us better prioritize this feature, can you describe how the proposed solution different to the existing owner based authorization rule?

[beevor]

Hi @AllanZhengYP,

Thanks for the quick reply. I am not using the Amplify Data category. I'm using CDK to create the API, and my schema and permissions will eventually become quite complex e.g., users in a group (not the owner) requiring temporary access to records owned by a different user. I felt that such patterns are easier handled via lamba resolvers. The identity tags approach (dynamodb:LeadingKeys) offers an added layer of security and offloads auth checks from the lambda.

[AllanZhengYP]

@beevor Can you share more information on how you are using the Amplify library? I sounds to me that you are only using the Auth category and manage the DynamoDB yourself. Technically you can customize your CDK resource for identity pool, if you are using gen2, to achieve the resource access control supported by AWS.

However when I look into this documentation from DynamoDB, I find it calls out:

Note
Some AWS services also support tag-based conditions; however, DynamoDB does not.

Can you confirm this is a supported use case by DynamoDB?

[beevor]

Thank you @AllanZhengYP. Indeed, the documentation states that DyamoDB does not support tag-based conditions. I wish I had seen that before I wasted time trying to get this to work.

TL;DR: Tag-based conditions for dynamo is coming soon: announcement

Before seeing the announcement, I saw solutions like this and this which imply that one can use tag-based conditions for the dynamodb:LeadingKeys condition. I don't know how they got their solutions working.

From my understanding, tags like ${PrincipalTag/username} will not work, but ${cognito-identity.amazonaws.com:sub} will work, because it is a context variable in the session. The lambda will have to assume the cognito authenticated role for this approach to work. If there are multiple lambdas, the permissions on the cognito auth role would have to be a union of the permissions for the individual lambdas? This does not seem ideal to me.

For anyone reading this, one other thing to note is that {cognito-identity.amazonaws.com:sub} resolves to the cognito identity pool id, not the user pool id/sub.

All of this will be moot soon because of the announcement from AWS. They will soon implement tag-based conditions for dynamo.