0

Can I apply a policy (for example to an AWS DynamoDB table) but restrict it based on a specific field of the Cognito user (other than the Cognito id)?

What I'm tring to implement: I've got multiple Cognito users that belongs to one specific group. Each group can have multiple users. There are a lot of groups > 1000.

  1. Each group should have permissions to read/write rows in a DynamoDB Table that belongs to the group (to do so the table has a field GroupName).
  2. Each user should have the same permissions that the group he belongs to has.

I would like to check in the policy file that MyCognitoUser.GroupName equals the row.GroupName

Stéphane
  • 1,528
  • 14
  • 21

1 Answers1

0

If you are using Amazon Cognito User Pools then you can use the recently launched Groups functionality to assign roles based on the user groups (you don't need to store this field in DynamoDB, instead it is part of user profile).

Rachit Dhall
  • 1,601
  • 11
  • 12