Can I specify an AWS DynamoDB policy based on Cognito ID?

amazon-dynamodb amazon-cognito
Scott McKenzie picture Scott McKenzie · Sep 16, 2014 · Viewed 7k times · Source

Can I apply a policy to an AWS DynamoDB table but restrict it based on the Cognito ID of the user accessing it?

E.g. A Customer table has a primary hash key equal to the Cognito ID. When anyone but the user sharing the same ID tries to get the item they will receive an unauthorised exception.

(Non DynanoDB policies are probably also valid.)

Answer

Wolfwyrd picture Wolfwyrd · Sep 17, 2014

You should be able to do something like this using the same techniques as those for using an ID Provider. You should use the Cognito identifier as the key in the policy:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "dynamodb:DeleteItem",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": ["arn:aws:dynamodb:REGION:123456789012:table/UserData"],
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]}
    }
  }]
}

Related questions

AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException

I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here: DynamoDBMapper AmazonServiceException: User: arn:aws:sts::[My …

Read More
DynamoDB vs MongoDB NoSQL

I'm trying to figure it out what can I use for a future project, we plan to store from about 500k records per month in the first year and maybe more for the next years this is a vertical application …

Read More
What is the recommended way to delete a large number of items from DynamoDB?

I'm writing a simple logging service in DynamoDB. I have a logs table that is keyed by a user_id hash and a timestamp (Unix epoch int) range. When a user of the service terminates their account, I need to …

Read More