我可以根据 Cognito ID 指定 AWS DynamoDB 策略吗? [英] Can I specify an AWS DynamoDB policy based on Cognito ID?

问题描述

我可以将策略应用于 AWS DynamoDB 表，但根据访问它的用户的 Cognito ID 对其进行限制吗?

Can I apply a policy to an AWS DynamoDB table but restrict it based on the Cognito ID of the user accessing it?

例如Customer 表的主哈希键等于 Cognito ID.当共享相同 ID 的用户以外的任何人试图获取该项目时，他们将收到未经授权的异常.

E.g. A Customer table has a primary hash key equal to the Cognito ID. When anyone but the user sharing the same ID tries to get the item they will receive an unauthorised exception.

(非 DynanoDB 策略可能也有效.)

(Non DynanoDB policies are probably also valid.)

推荐答案

您应该能够使用与 使用 ID 提供者.您应该使用 Cognito 标识符 作为政策:

You should be able to do something like this using the same techniques as those for using an ID Provider. You should use the Cognito identifier as the key in the policy:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Action": [
        "dynamodb:DeleteItem",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": ["arn:aws:dynamodb:REGION:123456789012:table/UserData"],
      "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]}
    }
  }]
}

这篇关于我可以根据 Cognito ID 指定 AWS DynamoDB 策略吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！