We got a problem in managing authorisation while accessing aws resources. Currently, we are using STS tokens to authorize the user and give access to aws resources. But, the problem is in the request parameters if we change the user_id and keep the sts token as same, the resources are accessible. We are in search of a way where amazon can explicitly do this authorization. any suggestions?
Asked
Active
Viewed 73 times
0
-
What kind of "user_id" are you talking about? How is it supposed to be correlated with the STS token? The token has an accompanying AccessKeyId and secret, not a "user_id." – Michael - sqlbot Oct 04 '16 at 18:34
-
@Michael-sqlbot user_id is from our database – Krishna Karamilli Oct 05 '16 at 04:54
-
I see. With that fact in mind, what does it mean to say that you "change" the user_id and keep the token the same? If the user_id isn't provided to AWS when a request is made, then in what sense does it "change?" I'm trying to understand the nature of the problem. – Michael - sqlbot Oct 05 '16 at 11:34
-
user_id corresponds to a user in our database, suppose say I am a user of our website with user_id=7 and sts_token=xyz, if I send REST calls through postman, I am getting data, at the same time If I replace user_id=8 and sts_token=xyz, I am able to view his data, that shouldn't be happen. currently we are not providing user_id to AWS, if we pass is there a way to restrict this from AWS side, I'm not much familiar with aws. – Krishna Karamilli Oct 07 '16 at 10:05