Skip to content

Commit

Permalink
chore(cognito-identitypool): update README to encourage least privile…
Browse files Browse the repository at this point in the history 
…ge (#31811)

### Issue # (if applicable)

N/A

### Reason for this change

To ensure customers are using the module securely, we want to encourage them to follow the best practice of the principal of least privilege. That is, customers are only providing as much access as necessary to complete the task, and no privileges greater than that.

### Description of changes

* Updated the README to include sentences around the privilege and access granting sections encouraging only giving the least amount of privileges necessary.
* Updated the README example to remove wildcard privilege.

### Description of how you validated changes

`yarn rosetta:extract` passes.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@Leo10Gama
Leo10Gama authored Oct 22, 2024
1 parent b35adf1 commit 2122461
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions packages/@aws-cdk/aws-cognito-identitypool-alpha/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ unauthenticated (guest) roles applied to the identity pool:
new IdentityPool(this, 'myIdentityPool');
```

By default, both the authenticated and unauthenticated roles will have no permissions attached. Grant permissions
By default, both the authenticated and unauthenticated roles will have no permissions attached. When granting permissions,
you should ensure that you are granting the least privileged permissions required for your use case. Grant permissions
to roles using the public `authenticatedRole` and `unauthenticatedRole` properties:

```ts
Expand All @@ -88,11 +89,11 @@ table.grantReadWriteData(identityPool.authenticatedRole);
// Grant permissions to unauthenticated guest users
table.grantReadData(identityPool.unauthenticatedRole);

//Or add policy statements straight to the role
// Or add policy statements straight to the role
identityPool.authenticatedRole.addToPrincipalPolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['dynamodb:*'],
resources: ['*'],
actions: ['dynamodb:UpdateItem'],
resources: [table.tableArn],
}));
```

Expand Down Expand Up @@ -253,7 +254,8 @@ new IdentityPool(this, 'myidentitypool', {

In addition to setting default roles for authenticated and unauthenticated users, identity pools can also be used to
define rules to choose the role for each user based on claims in the user's ID token by using Role Mapping. When using
role mapping, it's important to be aware of some of the permissions the role will need. An in depth
role mapping, it's important to be aware of some of the permissions the role will need, and that the least privileged
roles necessary are given for your specific use case. An in depth
review of roles and role mapping can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html).

Using a [token-based approach](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-tokens-to-assign-roles-to-users) to role mapping will allow mapped roles to be passed through the `cognito:roles` or
Expand Down

0 comments on commit 2122461

Please sign in to comment.