AWS and other interesting stuff

Cognito Fine-Grained Permissions

Cognito

To Do: code for User Pool to be used in Identity Pool

DynamoDB Fine-Grained Permissions

You can attach permissions to the auth (and unauth) roles defined in the Identity Pool that allow the identity to write to DynamoDB e.g.

Cognito_ChoiceAsIdentityPoolAuth_Role

yaml Policies: - PolicyName: choiceAsDynamoDBPermissions PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - dynamodb:BatchGetItem - dynamodb:BatchWriteItem - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:PutItem - dynamodb:Query - dynamodb:UpdateItem Resource: !Sub - arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${table} - { table: !Ref choiceAsSessionDynamoDBTable } Condition: ForAllValues:StringEquals: dynamodb:LeadingKeys: - ${cognito-identity.amazonaws.com:sub}

The trust policy for the role needs to allow the Identity Pool to assume the role e.g.

yaml Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Federated: - cognito-identity.amazonaws.com Action: - sts:AssumeRoleWithWebIdentity Condition: StringEquals: cognito-identity.amazonaws.com:aud: ap-southeast-2:f95305cc-2b48-45dc-8bfa-a77f93b335ab ForAnyValue:StringLike: cognito-identity.amazonaws.com:amr: authenticated

Note: the DynamoDB ARN is being built using the Sub function using a Ref to the table built in the same template

To Do: add reference to Choice As DynamoDB tag on github

To DoL add note about inline Python Lambda that writes to S3. Also make a note on testing