Geek Answers Handbook

Amazon S3 list permission for a non-authenticated cognito user

I installed an unauthorized role in the Amazon Cognito Identity pool. My goal is that guest users of my mobile application will be able to upload debug logs (small text files) to my S3 bucket so that I can troubleshoot. I notice that I get "Access Denied" from S3 unless I change my permission to the S3 bucket. If I add to allow Everyone to have the Download / Delete privilege, the file upload failed. My concern is that someone will be able to upload large files to my bucket and cause a security problem. What is the recommended configuration for my need above? I am new to S3 and Cognito.

I am using the Amazon AWS SDK for iOS, but I believe this issue is platform neutral.

Edit: My policy is this:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:GetUser", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject" ], "Resource": ["arn:aws:s3:::import-to-ec2-*", "arn:aws:s3:::<my bucket name>/*"] } ] }
+8
amazon-s3 amazon-cognito
source share
3 answers

You do not need to change the resolution of the S3 list, but rather the IAM role associated with your identifier pool. Try the following:

  • Visit the IAM console.
  • Find the role associated with your identifier pool.
  • Attach a policy similar to the following to your role: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:PutObject"], "Resource": ["arn:aws:s3:::MYBUCKET/*"] } ] }
  • Replace MYBUCKET with the name of your bucket
  • Access your bucket as usual from your application using the iOS SDK and Cognito

You might want to consider restricting permissions, including ${cognito-identity.amazonaws.com:sub} to separate your users, but the above policy will help you get started.

+3
source share

As @einarc said (can't comment yet) to get it working, I had to edit the role and Bucket Policy. This is good enough for testing:

Bucket Policy:

 { "Id": "Policy1500742753994", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1500742752148", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::admin1.user1", "Principal": "*" } ] }

Proven role policy:

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::*" ] } ] }
+1
source share

The answer above has not been completed since 2015, you need to authorize BOTH and the bucket role in S3 to authorize this role to write to the bucket. Use s3: PutObject in both cases. The console has wizards for both cases.

0
source share

More articles:


All Articles