amazon-s3amazon-cognitofederated-identitygroupchat

aws cognito - allow group-chat participants access to s3 bucket

I'm implementing an iOS app with group-chat support, where users can add photos, other files.

Decided on AWS S3 as storage back end, using Cognito Federated Identities to authenticate upload/downloads - data pumped to/from S3, not via our servers.

So far

my implementation allows a user/identity to upload & download to their their own folder on an S3 bucket (example policy arn:aws:s3:::mybucket/users/${cognito-identity.amazonaws.com:sub}/* the variable being the identityID/user_id).

However

I've not been able to find a secure way that allows only participants in a group-chat to upload/download from that group-chat's folder on S3.

Any ideas?

some thoughts on a possible flow:

  1. first, user upload photo to own folder, [ I know how ]
  2. then, the system copies over the photo into the group-chat's folder [ I know how ]
  3. associate group-chat folder with the identities of participants [ not sure how - there could be thousands of groups & participants ]
    • EDIT 1: as @MyStackRunnethOver suggest, could use one IAM role/credential to manage all upload/download request for users (that belong to said group) [ big security concern if credential compromised ].
  4. EDIT 1: could use PreSigned URLs: files uploaded to user's own folder, presigned url stored on group-chat entries [ max url-life 7days though ]
    • client caching helps until participants join/leave a group frequently
    • requires server-side scheduled job to renew expired PreSigned URLs

Any commends/ideas appreciated

Solution

  • Your question boils down to:

    "Given that users are part of groups, how can I give users access to group-specific subdirectories based on group membership?"

    As I see it, you have two options:

    1. Give each user the "key" to all directories they're a member of. This could mean adding a permission to that user for each group, or providing them with access to a new IAM role for each group. This is the "come up with a way to have fine-grained permissions for S3" strategy.

    2. Don't distribute any directory-specific keys. Instead, when a user requests a certain directory, check whether they're in the group that directory belongs to. This is the "build a fine-grained data storage system around S3" strategy.

    I recommend the latter approach, because instead of having an IAM role or a credential per user or per group, you give all your users one credential: the credential needed to make requests of your S3 wrapper. If you keep track of which groups your users are in, all your wrapper needs to do is check the user -> groups mapping to see if a request should be fulfilled. The front end can use the same mapping to prettify the UI: a user is only shown the option to upload / download from the groups they are a member of. In this case, I would envision the mapping as a Dynamo table that is updated whenever a user signs up, joins a group, leaves a group, or deletes their account. You can identify your users by their Cognito credentials, which include user-specific fields.