View a markdown version of this page

Identity and Access Management - Spatial Data Management on AWS
How SDMA Works with IAMAuthenticationAuthorizationAWS Managed PoliciesUsing Service-Linked Roles

Identity and Access Management

The solution implements fine-grained access control using multiple AWS services.

How SDMA Works with IAM

The solution uses AWS Identity and Access Management (IAM) for:

Service Roles

  • Lambda execution roles with least-privilege permissions

  • API Gateway invocation roles

  • CloudFormation deployment roles

  • EventBridge target invocation roles

Resource Policies

  • S3 bucket policies restrict access to authorized principals

  • DynamoDB table policies control access to specific tables

  • KMS key policies define who can use encryption keys

  • SQS queue policies control message producers and consumers

Cross-Service Access

  • Lambda functions assume IAM roles to access other AWS services

  • API Gateway uses IAM authorization for programmatic access

  • CloudFront uses Origin Access Identity (OAI) to access S3

Authentication

User Authentication

  • Amazon Cognito User Pool: Manages user identities and authentication

  • Sign-in options: Email or username

  • Multi-factor authentication (MFA): Optional, using time-based one-time passwords (TOTP)

  • Password policy requirements:

  • Minimum 8 characters

  • Must include uppercase, lowercase, digits, and symbols

  • Temporary passwords valid for 1 day

  • Account recovery: Email-only recovery

  • Device tracking: Challenges required on new devices, remembered only on user prompt

  • Managed login: Cognito Hosted UI (version 2) for OAuth 2.0 flows

  • User groups: Pre-configured "SpatialDataManagementAdministrators" group for library ownership

Application Authentication

  • API Keys: API Gateway API keys for rate limiting and usage tracking

  • IAM Credentials: AWS Signature Version 4 for programmatic access

  • Temporary Credentials: AWS STS for direct S3 access

Authorization

Fine-Grained Access Control

  • Amazon Verified Permissions: Cedar policy language for resource-based authorization

  • Library-level access control

  • Project-level access control

  • Asset-level access control

  • Role-based access (Owner, Manager, Contributor, Viewer)

  • Attribute-based access control (ABAC)

API Authorization

  • Cognito Authorizer: JWT token validation for user requests

  • IAM Authorizer: AWS Signature Version 4 (SigV4) for service-to-service calls

  • Lambda Authorizer: Custom authorization logic when needed

Resource Membership

  • Members Table: Tracks user and group membership for resources

  • Hierarchical Permissions: Library permissions cascade to projects and assets

  • Explicit Deny: Deny rules take precedence over allow rules

AWS Managed Policies

The solution uses the following AWS managed policies:

  • AWSLambdaBasicExecutionRole: CloudWatch Logs access for Lambda functions

  • AWSLambdaVPCAccessExecutionRole: ENI management for VPC Lambda functions

  • AWSXRayDaemonWriteAccess: X-Ray tracing for Lambda functions

  • CloudWatchLambdaInsightsExecutionRolePolicy: Lambda Insights monitoring

Using Service-Linked Roles

The solution uses AWS service-linked roles for:

Amazon OpenSearch Serverless

  • Role: AWSServiceRoleForAmazonOpenSearchServerless

  • Purpose: Allows OpenSearch Serverless to manage VPC endpoints and network interfaces

  • Created automatically when OpenSearch collection is created

AWS Lambda

  • Role: AWSServiceRoleForLambdaReplicator

  • Purpose: Allows Lambda to replicate functions across regions (if enabled)

  • Created automatically when Lambda replication is configured

Amazon API Gateway

  • Role: AWSServiceRoleForAPIGateway

  • Purpose: Allows API Gateway to push logs to CloudWatch

  • Created automatically when API Gateway logging is enabled