search

amazon-archives / aws-cognito-angular-quickstart

An Angular(v5)-based QuickStart single-page app utilizing Amazon Cognito, S3, and DynamoDB (Serverless architecture)
https://cognito.budilov.com
Apache License 2.0
689 stars 304 forks source link

Security Question #62

Closed coldcam closed 7 years ago

coldcam commented 7 years ago

Quick Question on security wrt ddb tables. The current code grants permission to the authenticated user to access dynamodb tables - read/write/delete. Since all users are logging their activity into the same table, how are they prevented from seeing/accessing data activity from other users?

I understand the app only queries based on the user, however, it seems like there is an opportunity rewrite the script or perhaps hijack the access token to access the entire table and thus all user activity.

I'm no security expert so simple answers suffice. :)

coldcam commented 7 years ago

Another way to put the question would be: Is it any more secure to instead have the app publish an SQS message to a queue that is then processed by a lambda function with access to the ddb table, rather than give the client direct access to the ddb tsble? In this way the lambda function can ensure that the client is only able to view logs associated with his activity and no one else's. While this seems a tad bit paranoid I can see others adopting this code and adding more sensitive information to the ddB table thus warranting this added level of security.

jameshow commented 7 years ago

I had similar questions, so I've been doing some reading of the docs.

From what I understand, the important part here is the IAM authenticated role policy that gets created. In the aws folder, createResources.sh uses the template to create the policy. The template is aws/authrole.json. You are correct that the policy allows get, put, update, delete, but take a look at the Condition clause: 

    "Condition": {
        "ForAllValues:StringEquals": {
          "dynamodb:LeadingKeys": [
            "${cognito-identity.amazonaws.com:sub}"

This is where the fine-grained access control is implemented. It looks to me like these users only have access over their own items in the ddb table.

dynamodb:LeadingKeys – This condition key allows users to access only the items where the partition key value matches their user ID.

See this doc page for more info.

Even if you were to capture another user's id you won't be able to use that since cognito won't allow you to pass that through to IAM since it won't be authenticated.

Hopefully that helps and isn't too far off. :)

vbudilov commented 7 years ago

@coldcam , @jameshow is right -- the IAM policy takes care of that. The same thing can be done with S3:

    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::content/${cognito-identity.amazonaws.com:sub}/*"
      ]
    },