Method to upload files to S3 bucket from mobile / web client - Serverless - amazon-s3

I have a serverless application that uses AWS AppSync as the API layer and Cognito User Pool as the authentication service. There can be web / mobile users using the application. Each authenticated user should be able to upload photos to the S3 bucket. I am using Dynamo DB as the database.
What is the best way to implement the file upload process with the below requirements,
Each Cognito authenticated user should be able to upload/view photos in the s3 bucket.
The user should be able to upload multiple photos
Each file upload should be recorded in the database.
I saw there is a way to upload files with AWS pre-signed URL's but can I upload multiple files with that approach?
Since I have the Cognito authentication is there a direct way for authenticated users to access S3 buckets rather than pre-signed URLs?

If you are already using Cognito, you can secure your API Gateway method (the specific REST API method) with a Cognito User Pool.
That means you would have the following flow:
App -> HTTP request with Cognito Authorization Header -> API Gateway -> API Gateway method with Authorization set-up -> Lambda -> S3.
API Gateway’s Authorization settings would take care of securing the endpoint.
This is the guide for setting it up:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Related

How to get rest API of AWS Cognito

In our project we are using API Gateway to get authenticated by Cognito User Pool.
Now, we are checking instead of hiting API Gateway can we directly hit Cognito for authenticating users.
So, wanted to check if there is any API of AWS cognito-idp admin-initiate-auth to get the tokens without using the CLI command?
Please refer to the link here. You will also find more information about using this API in one of the language-specific AWS SDKs.
For a complete list of all Amazon Cognito API references, refer here

How to restrict public user access to s3 buckets or minIO?

I have got a question about minio or s3 policy. I am using a stand-alone minio server for my project. Here is the situation :
There is only one admin account that receives files and uploads them to minio server.
My Users need to access just their own uploaded objects. I mean another user is not supposed to see other people's object publicly (e.g. by visiting direct link in URL).
Admin users are allowed to see all objects in any circumstances.
1. How can i implement such policies for my project considering i have got my database for user authentication and how can i combine them to authenticate the user.
2. If not what other options do i have here to ease the process ?
Communicate with your storage through the application. Do policy checks, authentication or authorization in the app and store/grab files to/from storage and make the proper response. I guess this is the only way you can have limitation on uploading/downloading files using Minio.
If you're using a framework like Laravel built in S3 driver works perfectly with Minio; Otherwise it's just matter of a HTTP call. Minio provides HTTP APIs.

Securing Cloudfront using Cognito IDToken

Hi my website is hosted though cloudfront by using s3. Is there a way to secure access to my cloudfront using id token from my cognito user pool?

How can I allow limited access to API created in aws API gateway?

I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.

Integrating AWS Cognito with API for authentication

Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS token for validity. Any suggestions?
Thanks :)
Amazon Cognito was not designed to secure developer built APIs and I would caution you from using only the Amazon Cognito token to secure your API.
That being said, the vended Amazon Cognito token is a normal JWT signed using asymmetric encryption. This thread on the AWS forums has some example code in C# that another customer was able to use to verify the token.
Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.
You can retrieve the JWT tokens after authenticating users using Cognito. Pass the Access or ID token (depending on usecase) to your backend app and decode the token using any standard JWT decoder libraries.
Here is an article with sample code for reference explaining the process.