# IAM roles While creating an identity pool, you're prompted to update the IAM roles that your users assume. IAM roles work like this: When a user logs in to your app, Amazon Cognito generates temporary AWS credentials for the user. These temporary credentials are associated with a specific IAM role. With the IAM role, you can define a set of permissions to access your AWS resources. You can specify default IAM roles for authenticated and unauthenticated users. In addition, you can define rules to choose the role for each user based on claims in the user's ID token. For more information, see [Using role-based access control](role-based-access-control.md). By default, the Amazon Cognito console creates IAM roles that provide access to Amazon Mobile Analytics and to Amazon Cognito Sync. Alternatively, you can choose to use existing IAM roles. Modify IAM roles to allow or restrict access to other services. To do so, [log in to the IAM Console](https://console.aws.amazon.com/iam/home). Then select **Roles**, and select a role. The policies attached to the selected role are listed in the **Permissions** tab. You can customize an access policy by selecting the corresponding **Manage Policy** link. To learn more about using and defining policies, see [Overview of IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html). **Note** As a best practice, define policies that follow the principle of granting *least privilege*. In other words, the policies include only the permissions that users require to perform their tasks. For more information, see [Grant Least Privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the *IAM User Guide*. Remember that unauthenticated identities are assumed by users who do not log in to your app. Typically, the permissions that you assign for unauthenticated identities should be more restrictive than those for authenticated identities. **Topics** + [ ## Set up a trust policy ](#trust-policies) + [ ## Access policies ](#access-policies) + [ ## Role trust and permissions ](#role-trust-and-permissions) ## Set up a trust policy Amazon Cognito uses IAM roles to generate temporary credentials for your application's users. Access to permissions is controlled by a role's trust relationships. Learn more about [Role trust and permissions](#role-trust-and-permissions). Amazon Cognito brokers connections between AWS STS and identity pool IdPs. The token presented to AWS STS is generated by an identity pool, which translates a user pool, social, or OIDC provider token, or a SAML assertion, to its own token. The identity pool token contains an `aud` claim that is the identity pool ID. Where the `Principal` of an IAM role trust policy is an identity pools service principal like `cognito-identity.amazonaws.com`, you can't create or modify role trust policies such that they permit any identity pool to assume the role. With the identity pool principal, the `Action` element must have a `Condition` that requires that `AssumeRoleWithWebIndentity` be performed only by your identity pools, as specified by a condition key like `cognito-identity.amazonaws.com:aud`. Other condition keys are available, but `aud` is required. If you attempt to save a role trust policy without a condition of this type, IAM returns an error. For more information about OIDC (web identity) federation keys, see [Available keys for AWS OIDC federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif). The following are available OIDC federation condition keys for Amazon Cognito. **`cognito-identity.amazonaws.com:aud`** Restricts the role to operations from one or more identity pools. Amazon Cognito indicates the source identity pool in the `aud` claim in the identity pool token. **`cognito-identity.amazonaws.com:amr`** Restricts the role to either `authenticated` or `unauthenticated` (guest) users. Amazon Cognito indicates the authentication state in the `amr` claim in the identity pool token. **`cognito-identity.amazonaws.com:sub`** Restricts the role to one or more users by [UUID](cognito-terms.md#terms-uuid). This UUID is the user's identity ID in the identity pool. This value isn’t the `sub` value from the user’s original identity provider. Amazon Cognito indicates this UUID in the `sub` claim in the identity pool token. The following example role trust policy allows the federated service principal `cognito-identity.amazonaws.com` to call the AWS STS API `AssumeRoleWithWebIdentity`. The request will only succeed if the identity pool token in the API request has the following claims. 1. An `aud` claim of the identity pool ID `us-west-2:abcdefg-1234-5678-910a-0e8443553f95`. 1. An `amr` claim of `authenticated` that is added when the user has signed in and isn't a guest user. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2:abcdefg-1234-5678-910a-0e8443553f95" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ``` ------ ### Trust policies for IAM roles in Basic (Classic) authentication **Summary** Identity pools can only assume roles on behalf of users in the [Basic authentication flow](authentication-flow.md#authentication-flow-basic) when the trust policy of the target role contains the `aud` condition. Basic authentication has the same limitation on insecure role trust policies as enhanced authentication: you can't save a role trust policy that fails to limit supported identity pools with an `aud` condition. This limitation was not enforced when the service launched. Prior to the enforcement of this requirement, you could create role trust policies that had no additional security conditions. After the enforcement of this requirement, AWS STS permits web identities to assume roles that are not secured with conditions, but those roles **can't be modified** without introducing those conditions. Enhanced-flow authentication requires that the IAM role be in the same AWS account as the identity pool. But in basic authentication, where your application composes the `AssumeRoleWithWebIdentity` request, your application can request to assume a role in a different account. Your [cross-account](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) assume role request will fail, though, if the destination role has a legacy trust policy that doesn't enforce the `aud` condition. The token that an identity pool issues for an identity contains information about the originating AWS account of the identity pool. When you present an identity pool token in an [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) API request, AWS STS checks to see if the originating identity pool is in the same AWS account as the IAM role. If AWS STS determines that the request is cross-account, it checks to see if the role trust policy has an `aud` condition. **The assume-role call fails** if no such condition is present in the role trust policy. If the request is not cross-account, AWS STS doesn’t enforce this restriction. As a best practice, always apply a condition of this type to the trust policies of your identity pool roles. The following is an example trust policy that meets the *minimum* requirements for an IAM role for basic authentication with several identity pools. As a best practice, permit only authenticated identities with a `"cognito-identity.amazonaws.com:amr": "authenticated"` condition too. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": [ "us-west-2:abcdefg-1234-5678-910a-0e8443553f95", "us-west-2:hijklmo-5678-9101-112b-0e4221776g96", "us-west-2:pqrstuv-9101-1121-314c-0e2110887h97" ] } } } ] } ``` ------ ### Additional trust policy conditions You can use the following trust policy conditions to define the source identity pools, identities, and providers that can assume IAM roles. **Note** Don't implement the [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceip) condition key in trust policies for IAM roles that identity pools assume in the [enhanced authentication flow](authentication-flow.md#authentication-flow-enhanced). Because the enhanced flow generates the [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) request on behalf of your application, the source IP of the request will not be the IP of your application client, and the condition will never be satisfied. Network-based condition keys are valid for roles that identity pools assume through *only* the [basic flow](authentication-flow.md#authentication-flow-basic), which lacks the service-side features of the enhanced flow. **Reuse roles across identity pools** To reuse a role across multiple identity pools, because they share a common permission set, you can include multiple identity pools, like this: ``` "StringEquals": { "cognito-identity.amazonaws.com:aud": [ "us-east-1:12345678-abcd-abcd-abcd-123456790ab", "us-east-1:98765432-dcba-dcba-dcba-123456790ab" ] } ``` **Limit access to specific identities** To create a policy limited to a specific set of app users, check the value of `cognito-identity.amazonaws.com:sub`: ``` "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-abcd-abcd-abcd-123456790ab", "cognito-identity.amazonaws.com:sub": [ "us-east-1:12345678-1234-1234-1234-123456790ab", "us-east-1:98765432-1234-1234-1243-123456790ab" ] } ``` **Limit access to specific providers** To create a policy limited to users who have logged in with a specific provider (perhaps your own login provider), check the value of `cognito-identity.amazonaws.com:amr`: ``` "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "login.myprovider.myapp" } ``` For example, an app that trusts only Facebook would have the following amr clause: ``` "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ``` ## Access policies The permissions that you attach to a role apply to all users who assume that role. To partition your users' access, use policy conditions and variables. For more information, see [IAM policy elements: Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html). You can use the `sub` condition to restrict actions to Amazon Cognito identity IDs in your access policies. Use this option with caution, particularly for unauthenticated identities, which lack a consistent user ID. For more information about the IAM policy variables for web federation with Amazon Cognito, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif) in the *AWS Identity and Access Management User Guide*. For additional security protection, Amazon Cognito applies a scope-down policy to credentials that you assign your unauthenticated users in the [enhanced flow](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html), using `GetCredentialsForIdentity`. The scope-down policy adds an [Inline session policy](#access-policies-inline-policy) and an [AWS managed session policy](#access-policies-managed-policy) to the IAM policies that you apply to your unauthenticated role. Because you must grant access in both the IAM policies for your role and the session policies, the scope-down policy limits users' access to services other than those in the list that follows. **Note** In the basic (classic) flow, you make your own [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) API request, and can apply these restrictions to the request. As a best security practice, don't assign any permissions above this scope-down policy to unauthenticated users. Amazon Cognito also prevents authenticated and unauthenticated users from making API requests to Amazon Cognito identity pools and Amazon Cognito Sync. Other AWS services might place restrictions on service access from web identities. In a successful request with the enhanced flow, Amazon Cognito makes an `AssumeRoleWithWebIdentity` API request in the background. Among the parameters in this request, Amazon Cognito includes the following. 1. Your user's identity ID. 1. The ARN of the IAM role that your user wants to assume. 1. A `policy` parameter that adds an *inline session policy*. 1. A `PolicyArns.member.N` parameter whose value is an *AWS managed policy* that grants additional permissions in Amazon CloudWatch. ### Services that unauthenticated users can access When you use the enhanced flow, the scope-down policies that Amazon Cognito applies to your user's session prevent them from using any services other than those listed in the following table. For a subset of services, only specific actions are allowed. | Category | Service | | --- | --- | | Analytics | Amazon Data Firehose Amazon Managed Service for Apache Flink | | Application Integration | Amazon Simple Queue Service | | AR & VR | Amazon Sumerian¹ | | Business Applications | Amazon Mobile Analytics Amazon Simple Email Service | | Compute | AWS Lambda | | Cryptography & PKI | AWS Key Management Service¹ | | Database | Amazon DynamoDB Amazon SimpleDB | | Front-end Web & Mobile | AWS AppSync Amazon Location Service Amazon Simple Notification Service Amazon Pinpoint Amazon Location Service | | Game Development | Amazon GameLift Servers | | Internet of Things (IoT) | AWS IoT | | Machine Learning | Amazon CodeWhisperer Amazon Comprehend Amazon Lex Amazon Machine Learning Amazon Personalize Amazon Polly Amazon Rekognition Amazon SageMaker AI¹ Amazon Textract¹ Amazon Transcribe Amazon Translate | | Management & Governance | Amazon CloudWatch Amazon CloudWatch Logs | | Networking & Content Delivery | Amazon API Gateway | | Security, Identity, & Compliance | Amazon Cognito user pools | | Storage | Amazon Simple Storage Service | ¹ For the AWS services in the following table, the inline policy grants a subset of actions. The table displays the available actions in each. | AWS service | Maximum permissions for unauthenticated enhanced flow users | | --- | --- | | AWS Key Management Service | `Encrypt` `Decrypt` `ReEncryptTo` `ReEncryptFrom` `GenerateDataKey` `GenerateDataKeyPair` `GenerateDataKeyPair` `GenerateDataKeyPairWithoutPlaintext` `GenerateDataKeyWithoutPlaintext` | | Amazon SageMaker AI | `InvokeEndpoint` | | Amazon Textract | `DetectDocumentText` `AnalyzeDocument` | | Amazon Sumerian | `View*` | | Amazon Location Service | `SearchPlaceIndex*` `GetPlace` `CalculateRoute*` `*Geofence` `*Geofences` `*DevicePosition*` | To grant access to AWS services beyond this list, activate the **basic (classic) authentication flow** in your identity pool. If your users see `NotAuthorizedException` errors from AWS services that are allowed by the policies assigned to the IAM role for unauthenticated users, evaluate whether you can remove that service from your use case. If you can't, switch to the basic flow. ### The inline session policy for guest users Inline session policy Amazon Cognito first applies an inline policy in the request for IAM credentials. The inline session policy restricts your user's effective permissions from including access to any AWS services outside those in the following list. You must also grant permissions to these AWS services in the policies that you apply to the user's IAM role. A user's effective permissions for an assumed-role session are the intersection of the policies assigned to their role, and their session policy. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *AWS Identity and Access Management User Guide*. Amazon Cognito adds the following inline policy to sessions for your users in AWS Regions that are enabled by default. For an overview of the net effect of the inline policy and other session policies, see [Services that unauthenticated users can access](#access-policies-scope-down-services). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:*", "logs:*", "dynamodb:*", "kinesis:*", "mobileanalytics:*", "s3:*", "ses:*", "sns:*", "sqs:*", "lambda:*", "machinelearning:*", "execute-api:*", "iot:*", "gamelift:*", "cognito-identity:*", "cognito-idp:*", "lex:*", "polly:*", "comprehend:*", "translate:*", "transcribe:*", "rekognition:*", "mobiletargeting:*", "firehose:*", "appsync:*", "personalize:*", "sagemaker:InvokeEndpoint", "cognito-sync:*", "codewhisperer:*", "textract:DetectDocumentText", "textract:AnalyzeDocument", "sdb:*" ], "Resource": [ "*" ] } ] } ``` ------ For all other Regions, the inline scope-down policy includes everything listed in the default Regions except for the following `Action` statements. ``` "cognito-sync:*", "sumerian:View*", "codewhisperer:*", "textract:DetectDocumentText", "textract:AnalyzeDocument", "sdb:*" ``` ### The AWS managed session policy for guests AWS managed session policy Amazon Cognito also applies an AWS managed policy as a session policy to the enhanced-flow sessions of unauthenticated guests. This policy limits the scope of unauthenticated users' permissions with the policy `AmazonCognitoUnAuthedIdentitiesSessionPolicy`. You must also grant this permission in the policies that you attach to your unauthenticated IAM role. A user's effective permissions for an assumed-role session are the intersection of the IAM policies assigned to their role, and their session policies. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) in the *AWS Identity and Access Management User Guide*. For an overview of the net effect of this AWS managed policy and other session policies, see [Services that unauthenticated users can access](#access-policies-scope-down-services). The `AmazonCognitoUnAuthedIdentitiesSessionPolicy` managed policy has the following permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "rum:PutRumEvents", "polly:*", "comprehend:*", "translate:*", "transcribe:*", "rekognition:*", "mobiletargeting:*", "firehose:*", "personalize:*", "sagemaker:InvokeEndpoint", "geo:GetMap*", "geo:SearchPlaceIndex*", "geo:GetPlace", "geo:CalculateRoute*", "geo:*Geofence", "geo:*Geofences", "geo:*DevicePosition*", "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*" }] } ``` ------ ### Access policy examples In this section, you can find example Amazon Cognito access policies that grant your users the minimum permissions necessary to do specific operation. You can further limit the permissions for a given identity ID by using policy variables where possible. For example, using \$1\$1cognito-identity.amazonaws.com:sub\$1. For more information, see [Understanding Amazon Cognito Authentication Part 3: Roles and Policies](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/) on the *AWS Mobile Blog*. **Note** As a security best practice, policies should include only the permissions that users require to perform their tasks. This means that you should try to always scope access to an individual identity for objects whenever possible. **Grant an identity read access to a single object in Amazon S3** The following access policy grants read permissions to an identity to retrieve a single object from a given S3 bucket. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/assets/my_picture.jpg"] } ] } ``` ------ **Grant an identity both read and write access to identity specific paths in Amazon S3** The following access policy grants read and write permissions to access a specific prefix "folder" in an S3 bucket by mapping the prefix to the `${cognito-identity.amazonaws.com:sub}` variable. With this policy, an identity such as `us-east-1:12345678-1234-1234-1234-123456790ab` inserted via `${cognito-identity.amazonaws.com:sub}` can get, put, and list objects into `arn:aws:s3:::amzn-s3-demo-bucket/us-east-1:12345678-1234-1234-1234-123456790ab`. However, the identity would not be granted access to other objects in `arn:aws:s3:::amzn-s3-demo-bucket`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket"], "Condition": {"StringLike": {"s3:prefix": ["${cognito-identity.amazonaws.com:sub}/*"]}} }, { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/${cognito-identity.amazonaws.com:sub}/*"] } ] } ``` ------ A similar access model is achieved with [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html). **Assign identities fine-grained access to Amazon DynamoDB** The following access policy provides fine-grained access control to DynamoDB resources using Amazon Cognito environment variables. These variables grant access to items in DynamoDB by identity ID. For more information, see [Using IAM Policy Conditions for Fine-Grained Access Control](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html) in the *Amazon DynamoDB Developer Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/MyTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"] } } } ] } ``` ------ **Grant an identity permission to invoke a Lambda function** The following access policy grants an identity permission to invoke a Lambda function. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:us-west-2:123456789012:function:MyFunction" ] } ] } ``` ------ **Grant an identity permission to publish records to Kinesis Data Streams** The following access policy allows an identity to use the `PutRecord` operation with any of the Kinesis Data Streams. It can be applied to users that need to add data records to all streams in an account. For more information, see [Controlling Access to Amazon Kinesis Data Streams Resources Using IAM](https://docs.aws.amazon.com/streams/latest/dev/controlling-access.html) in the *Amazon Kinesis Data Streams Developer Guide*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kinesis:PutRecord", "Resource": [ "arn:aws:kinesis:us-east-1:111122223333:stream/stream1" ] } ] } ``` ------ **Grant an identity access to their data in the Amazon Cognito Sync store** The following access policy grants an identity permissions to access only their own data in the Amazon Cognito Sync store. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":"cognito-sync:*", "Resource":["arn:aws:cognito-sync:us-east-1:123456789012:identitypool/${cognito-identity.amazonaws.com:aud}/identity/${cognito-identity.amazonaws.com:sub}/*"] }] } ``` ------ ## Role trust and permissions The way these roles differ is in their trust relationships. The following is an example trust policy for an unauthenticated role: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:12345678-corner-cafe-123456790ab" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" } } } ] } ``` ------ This policy grants federated users from `cognito-identity.amazonaws.com` (the issuer of the OpenID Connect token) permission to assume this role. Additionally, the policy restricts the `aud` of the token, in this case the identity pool ID, to match the identity pool. Finally, the policy specifies that one of the array members of the multi-value `amr` claim of the token issued by the Amazon Cognito `GetOpenIdToken` API operation has the value `unauthenticated`. When Amazon Cognito creates a token, it sets the `amr` of the token as either `unauthenticated` or `authenticated`. If `amr` is `authenticated`, the token includes any providers used during authentication. This means that you can create a role that trusts only users that logged in via Facebook by changing the `amr` condition as shown: ``` "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "graph.facebook.com" } ``` Be careful when changing your trust relationships on your roles, or when trying to use roles across identity pools. If you don't configure your role correctly to trust your identity pool, an exception from STS results, like the following: ``` AccessDenied -- Not authorized to perform sts:AssumeRoleWithWebIdentity ``` If you see this message, check that your identity pool and authentication type have an appropriate role.