问题
I am developing a simple application (ios) where each user can send simple messages (each of them composed of a few data slots, all strings for the moment) to other users (their Facebook friends). People log in using their Facebook account through Cognito and I manage users accounts using a single table in DynamoDB where the primary key is the the Facebook id (the secondary key is a unique message id). When user A sends a message to user B, two almost identical rows are added to the table, they contain the message and the only difference between them is the primary key (one is A's facebook id and the other is B's). Therefore, when a user logs in and checks his account, she retrieves all the rows corresponding to her facebook id hence accessing both the messages she sent and the ones that have been sent to her.
For the moment, every user has access to all the rows in the table which is a security flaw. I checked out some documentation and it seems that it is possible to perform fine-grained access control by adding the following snippet to the IAM policy in this case:
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
Unfortunately, ${graph.facebook.com:id} does not work with Cognito, and I should use ${cognito-identity.amazonaws.com:sub} instead to identify users. The problem is that using the latter requires using the Cognito id as a primary key instead of the Facebook id, which leads to my problem: it is possible to get friends' Facebook ids but not their Cognito ids which makes it impossible to send messages to them using the previous architecture.
Is there any possible solution while still keeping Cognito or should I authenticate users without it? Also, any remarks and critiques about my application's design are welcome.
回答1:
If you need to use the user's facebook id, use Web Identity Federation. The doc is a bit dated, but the aws mobile and js sdks provide a web identity credentials provider.
This approach should work if you allow write access to all keys and read access only to facebook id tied to the credentials.
来源:https://stackoverflow.com/questions/36219708/fine-grained-access-control-for-aws-dynamodb-using-aws-cognito