gcmcnutt
commented
7 years ago the roles are good -- basically, unauthenticated access is denied and authenticated is restricted to only reading elements from the user's principal: e.g.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"cognito-identity:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1449552297000",
"Effect": "Allow",
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:UpdateItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:499918285206:table/sensor2"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
It looks like the reader is universal - so need to re-enable login on the test site -- right now, the anon creds can read all.