I have a dynamodb table that is being accessed by an IAM user via the application; but the problem is any admin user logged-in to AWS Console can navigate to the dynamodb table and view the items in it. As per our security policy; this shouldn't be allowed.
Can anyone suggest if it's possible to block access to the dynamodb Items from the AWS GUI?
DynamoDB does not support resource based policies. So there are two work arounds.
Create an IAM policy that denies access to the DynamoDB table and apply this policy to all IAM users. You would also have to deny access disallowing certain IAM actions to prevent the admin users from removing the deny DynamoDB access policy. IAM permissions boundaries might be able to help you with this. Update your application to use an IAM role instead of an IAM user.
Use client side encryption on the DynamoDB data so the admins can only view the encrypted data in DynamoDB. You could use KMS for this but depending on how you manage the encryption, KMS costs could far exceed the DynamoDB costs.
Related
My application has Firebase users (i.e. users created in Firebase Authentication, NOT in Firebase IAM or in GCP IAM). These users are not linked to a G Mail or Google Workspaces (formerly G Suite) account, and are not part of my organization.
I need to grant each of these users write access (not read) to a Cloud Storage bucket (1 user = 1 bucket), while not allowing any kind of access to that bucket to unauthenticated users or to other Firebase users.
How would I go about doing that?
I have tried verifying auth and generating a presigned URL from my Cloud Functions backend, but it has turned out a bit problematic with uploading thousands of files, which is why I'm looking at alternatives.
Time-limited access is not a requirement for me either way (I'm fine with users only having a few hours of access or having forever access). Also, if one bucket per user is too problematic, one folder per user, all inside the same bucket, would also be acceptable.
I know that in AWS I could use Cognito User Pools for the users, and then link the users to an Identity Pool so they can obtain temporary AWS credentials with the required scope, but I haven't been able to find the equivalent in GCP. The service comparison table hasn't helped in this regard.
I realize I might have the wrong idea in my head, coming from AWS. I don't mind if I have to link my Firebase users to GCP IAM users or to Firebase IAM users for this, though to me it sounds counter-intuitive, and I haven't found any info on that either. Maybe I don't even need GCP credentials, but I haven't found a way to do this with a bucket ACL either. I'm open to anything.
Since your users are signed in with Firebase Authentication, the best way to control their access is through security rules that sit in front of the files in your storage bucket when you access them through the Firebase SDK.
Some example of common access patterns are only allowing the owner of a file to access it or attribute or role based access control.
When implementing security rules, keep in mind that download URLs that you can generate through the Firebase SDK (if have read access to a file) provide public read-only access to the file too. These download URLs bypass the rules, so you should only generate them for files that you want to be publicly access to anyone with that URL.
I am not talking about security rules. I am developing an app and as a Database owner can see what my users store in my Firebase Realtime Database from console. From Data tab I can see full JSON tree. Can I hide data from me to make my users feel 100% secure?
There is no way to hide the data in the console from the owner of a project. While you can grant/deny access to the data for specific services for collaborators, owners can always see all services in the project.
If you want to not be able to see any of the user's data, you'll need to use some form of end-to-end encryption where the key is not stored in Firebase.
i have firebase account, and i have my own application (node js) with different users. Each user should have personal info in firestore (its not my side) I connect to firebase with const db = admin.firestore(); how i can dynamically create subscriptions for all my users so every my application user get only his updates?
so user1 from my app has access to firestore.users.user1 and listen only this events. I don't want listen all events and then filter them, is any separate subscriptions ?
As I understand you have a database where each user is corresponded to one collection and you would like to restrict access so every user can only access his own collection.
To build user-based and role-based access systems you need Cloud Firestore Security Rules
You may also find helpful this solution for Secure data access for users and groups
I want to create a Udemy like video platform where a user can see all videos but can watch videos only that he has purchased.
I am making a rest call to get the videos from the storage bucket from an angular application, using Firebase authentication here. In my GET request to storage bucket I am passing the access token that I got from Firebase authn.
Does this access token can be used to determine scope of the user to access video in a bucket?
Assume if I have given read access for a video in a bucket for a specific user, using the access token can I get the video? But every time I tried it shows unauthorized. Is there any other way to verify users access to storage bucket object.
Google recommend to not use ACL because it's hard to manage and to have a global view on the authorization.
In most cases, Cloud Identity and Access Management (Cloud IAM) is the recommended method for controlling access to your resources.
Caution: Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
IMO, the best pattern is to have a database on your side with the file on GCS allowed per user. You can store these in Firestore: affordable, pay as you use, generous free tier. For downloading the video, you can generate a temporarily access to the user by generating a signedUrl.
As per mention Guillaume Cloud Storage use the ACL pattern in order to have a control to the access of the resources stored in their buckets.
Nevertheless, when you need to storage wide objects per user in this case a video, you can store these in Firestore: affordable, pay as you use, generous free tier. This is a very suitable option since Firestore can use as another resource
Is recommended for this scenario generate a signed URL
Azure CosmosDB - MongoDB provides keys for Read-Write and Read Only at account level.
CosmosDB SDK and API are there through which users can be created and access can be define at database and document level.
• But What I need to do is to create a pair of username and password with restricted access to a MongoDB database similar to one provided by installable MongoDB.
• How a user can connect only CosmosDB MongoDB database using RoboMongo.
Highly appreciate any help.
Amit -
Today, Cosmos DB access are provided by using two keys, Master Key and Read Only key. However, if you want to restrict user access per collection, per document etc, you have to use Resource Tokens. You can read more about it here and please take a look at CH9 video to see the implementation details. Resource Token service can be implemented as an Azure Function. Here is code to get you started.
But if you are using RoboMongo you have to Use the keys as define in this document. At this time you cannot define different users and Keys for a Database.