使用 AWS Cognito 对 AWS DynamoDB 进行细粒度访问控制 [英] Fine-grained access control for AWS DynamoDB using AWS Cognito
问题描述
我正在开发一个简单的应用程序 (ios),每个用户都可以向其他用户(他们的 Facebook 朋友)发送简单的消息(每个消息都由几个数据槽组成,目前都是字符串).人们通过 Cognito 使用他们的 Facebook 帐户登录,我使用 DynamoDB 中的单个表管理用户帐户,其中主键是 Facebook id(辅助键是唯一的消息 id).当用户 A 向用户 B 发送消息时,表中添加了两个几乎相同的行,它们包含消息,它们之间的唯一区别是主键(一个是 A 的 facebook id,另一个是 B 的).因此,当用户登录并检查他的帐户时,她会检索与她的 facebook id 对应的所有行,从而访问她发送的消息和已发送给她的消息.
I am developing a simple application (ios) where each user can send simple messages (each of them composed of a few data slots, all strings for the moment) to other users (their Facebook friends). People log in using their Facebook account through Cognito and I manage users accounts using a single table in DynamoDB where the primary key is the the Facebook id (the secondary key is a unique message id). When user A sends a message to user B, two almost identical rows are added to the table, they contain the message and the only difference between them is the primary key (one is A's facebook id and the other is B's). Therefore, when a user logs in and checks his account, she retrieves all the rows corresponding to her facebook id hence accessing both the messages she sent and the ones that have been sent to her.
目前,每个用户都可以访问表中的所有行,这是一个安全漏洞.我查看了一些文档,在这种情况下,似乎可以通过将以下代码段添加到 IAM 策略来执行细粒度的访问控制:
For the moment, every user has access to all the rows in the table which is a security flaw. I checked out some documentation and it seems that it is possible to perform fine-grained access control by adding the following snippet to the IAM policy in this case:
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
不幸的是,${graph.facebook.com:id} 不适用于 Cognito,我应该使用 ${cognito-identity.amazonaws.com:sub} 而是识别用户.问题是使用后者需要使用 Cognito id 作为主键而不是 Facebook id,这导致了我的问题:可以获得朋友的 Facebook id 而不是他们的 Cognito id,这使得无法发送消息到他们使用以前的架构.
Unfortunately, ${graph.facebook.com:id} does not work with Cognito, and I should use ${cognito-identity.amazonaws.com:sub} instead to identify users. The problem is that using the latter requires using the Cognito id as a primary key instead of the Facebook id, which leads to my problem: it is possible to get friends' Facebook ids but not their Cognito ids which makes it impossible to send messages to them using the previous architecture.
在仍然保留 Cognito 的同时是否有任何可能的解决方案,或者我应该在没有它的情况下对用户进行身份验证?此外,欢迎对我的应用程序设计提出任何评论和批评.
Is there any possible solution while still keeping Cognito or should I authenticate users without it? Also, any remarks and critiques about my application's design are welcome.
推荐答案
如果需要使用用户的facebook id,请使用网络身份联合.文档有点过时,但 aws mobile 和 js sdks 提供了 Web 身份凭证提供程序.
If you need to use the user's facebook id, use Web Identity Federation. The doc is a bit dated, but the aws mobile and js sdks provide a web identity credentials provider.
如果您允许对所有密钥进行写访问并且仅对绑定到凭据的 facebook id 进行读访问,则此方法应该有效.
This approach should work if you allow write access to all keys and read access only to facebook id tied to the credentials.
这篇关于使用 AWS Cognito 对 AWS DynamoDB 进行细粒度访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
