Let Cognito users manage access to "own" S3 folders

Question

I'm actually going to sneak in two questions here:

1) I'm trying to figure out if there is a way to let Cognito users manage access to their own folders. Let's say user Dave wants to share his protected file with user Anne. How would I go about to do this?

2) How can a group of users access the same restricted folders in a bucket? In my app users rarely work alone, and they upload files to the organization they belong.

Below is the policy I've gotten so far, but it's not doing it for me. Is there a way to do what I want directly in S3, or do I have to do a Lambda/Dynamo/S3 setup?

Do I need a unique policy for every organization and user in my app to achieve this? Isn't that a tad overkill?

I will be grateful for any help I can get on this topic.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKETNAME/user/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::BUCKETNAME/user/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

Answer 1

Your use-case is beyond what should be implemented via a Bucket Policy.

Trying to add exceptions and special-cases to a bucket policy will make the rules complex to manage and will start hitting limits -- S3 supports bucket policies of up 20 kb.

Once you get into specific rules about users, objects, paths, etc then you should really be managing this through your central app, which then grants access to objects via Pre-Signed URLs that are generated on-the-fly as necessary.

Amazon S3 is a highly scalable, reliable storage system -- but don't expect it to have every feature you require. That's where your app code is required.