Amazon S3: Allows Amazon Cognito users to access objects in their bucket - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon S3: Allows Amazon Cognito users to access objects in their bucket

This example shows how you might create an identity-based policy that allows Amazon Cognito users to access objects in a specific S3 bucket. This policy allows access only to objects with a name that includes cognito, the name of the application, and the federated user's ID, represented by the ${cognito-identity.amazonaws.com.cn:sub} variable. This policy grants the permissions necessary to complete this action programmatically from the Amazon API or Amazon CLI. To use this policy, replace the italicized placeholder text in the example policy with your own information. Then, follow the directions in create a policy or edit a policy.

Note

The 'sub' value used in the object key is not the user's sub value in the User Pool, it is the identity id associated with the user in the Identity Pool.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListYourObjects", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws-cn:s3:::bucket-name" ], "Condition": { "StringLike": { "s3:prefix": [ "cognito/application-name/${cognito-identity.amazonaws.com:sub}/*" ] } } }, { "Sid": "ReadWriteDeleteYourObjects", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws-cn:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*" ] } ] }

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other Amazon services. You can use identity pools and user pools separately or together.

For more information about Amazon Cognito, see Amazon Cognito User Guide.