0

For each of my customers, they have data stored on individual dropbox accounts and im in the process of consolidating all of these into AWS in the shape of a single s3 bucket where each customer has control over a single folder within that bucket.

For added security I was planning on creating each customer an IAM user (programatic access controlled via my application) and limit the bucket policy to only allow requests to the folder relating to that customer.

{
Sid = "VisualEditor0"
Effect = "Allow"
Action = "s3:*"
Resource = "arn:aws:s3:::customer_data/${aws:username}/*"
}

This all seemed sensible to me until it dawned on me that theres a hard 5000 IAM user limit per account. In theory things would have to be going really well in this industry to hit this limit but hard limits give me reasons to be nervous as you'd expect.

Any better solutions?

I found this similar post where one answer suggests using AWS Cognito which seems like it might require user input as opposed to allowing me to setup the users completely?

Sayse
  • 101
  • 2
  • 1
    Cognito is definitely the way to go. Creating an IAM user as part of application access control would be unusual. – Tim Mar 02 '21 at 17:13
  • @Tim - Definitely, this was just a case of not knowing about cognitos existence! – Sayse Mar 02 '21 at 20:08
  • 1
    There's an upside and a downside to AWS having 180+ services – Tim Mar 02 '21 at 20:12

1 Answers1

0

Turns out I wasn't truly understanding AWS Cognito user pools vs their identity pools. Using an identity pool that has access enabled for unauthenticated identities, I'm able to store up to 2 million customers that can each get access to hour long session tokens... an example of usage may look like the following

cognito = boto3.client("cognito-identity", aws_access_key_id=access_key, aws_secret_access_key=secret)
get_id = cognito.get_id(AccountId=aws_account_id, IdentityPoolId=pool_id)
print("Users Cognito", get_id,sep="\n\n")

users_id = get_id["IdentityId"]
user_creds = cognito.get_credentials_for_identity(IdentityId=users_id)["Credentials"]

print("User Creds", user_creds,sep="\n\n")

user_key = user_creds['AccessKeyId']
user_secret = user_creds['SecretKey']
user_session = user_creds['SessionToken']


bucket_name = "customer-data"

s3 = boto3.client("s3", aws_access_key_id=user_key, aws_secret_access_key=user_secret, aws_session_token=user_session)
bucket_of_stuff = s3.list_objects_v2(Bucket=bucket_name)
Sayse
  • 101
  • 2