I would like to restrict access permission for a number of AWS Cognito users to specific Kinesis WebRTC Signalling channel. Basically I need to define that for particular organisation that spans multiple AWS Cognito users, they have access only to that organization specific Signalling channel. For now I've come up with the following limited solution:
- Created Identity pool and specified Authenticated role IAM role.
- Defined IAM role to restrict permission to Kinesisvideo actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kinesisvideo:*",
"Resource": "*"
}
]
}
What I'm missing here is how exactly could I build a dynamic system that would create policies specifying which users can access specific signalling channel. This system would need to enable changing policies/permissions when users would enter/leave organization and therefore have access to Kinesis Signalling channel added/removed. For now I was thinking about the following solutions:
- Use AWS Cognito groups for each organization. But this is not scalable as AWS defines hard limit for maximum number of groups per user pool at 10,000.
- Programmatically attach new policy to above defined IAM role which would define for each organisation all users that have access to particular channel. But this again has hard limit on how many policies you can attach to single IAM role.
Is maybe there a way to define a policy directly on Kinesis Channels, like you can define policies for S3 service? Though I haven't seen anything like that in the AWS console.
