4

I am attempting secure my AWS API such that DynamoDB rows can only be accessed by the corresponding authenticated Cognito user by implementing fine grained access control in my Serverless Framework config (serverless.yml)

See example of what I am attempting in the AWS Documentation

I have tried to convert the Cloudformation syntax to Serverless without success; when I try something like the following expression in my policy statement:

Condition:
  ForAllValues:StringEquals:
    dynamodb:LeadingKeys: ["${cognito-identity.amazonaws.com:sub}"]

I then get an error:

Invalid variable reference syntax for variable cognito-identity.amazonaws.com:sub. You can only reference env vars, options, & files. You can check our docs for more info.

Is this even possible in Serverless? Or is it Cloudformation and SAM only?

Improve this question
3
  • We're you able to find a solution for this? I am trying to do something similar. Thanks! Commented Jul 21, 2020 at 17:43
  • Did you find a solution> Commented Jan 12, 2022 at 2:04
  • @systemdebt check my answer if thats something you still need Commented Dec 4, 2022 at 18:58

2 Answers 2

Reset to default
2

I was encountring same problem and solve it this way:

Condition:
  ForAnyValue:StringLike:
    "dynamodb:LeadingKeys":
       - !Join ["", [ "$", "{cognito-identity.amazonaws.com:sub}" ]]

That's not very clean, but as per now variables syntax collides with AWS params syntax. See this for more details - https://github.com/serverless/serverless/issues/2601

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It is possible in serverless. If I were you I will use AWS Lambda to verify the id_token which is sent to the user. In this scenario, you should first transfer the key to AWS Lambda function using Api Gateway or other methods. Then follow this guide to verify the token. The code can be found in: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

After verifying it you can add your code here:

 ...... 
if claims['aud'] != app_client_id:
    print('Token was not issued for this audience')
    return False
# now we can use the claims

# add your code here #

print(claims)
return claims
Improve this answer

1 Comment

Thanks, but that's not what I'm trying to achieve. I don't need to verify the JWT token - my gateway authorizer does this automatically for me. What I'm trying to do is implement fine-grained access control in DynamoDb using the Serverless framework. i.e. have AWS automatically determine if the authenticated user is allowed to access a particular document in DynamoDb.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.