Amazon Cognito Identity Pools enables using user attributes from identity providers for access control to simplify permissions management in AWS

Amazon Cognito Identity Pools now enables you to use attributes from social and corporate identity providers to make access control decisions and simplify permissions management to AWS resources.

In Amazon Cognito, you can either choose predefined attribute-tag mappings or create custom mappings using the attributes from social and corporate providers’ access/ID tokens or SAML assertions. You can then reference the tags in AWS IAM permissions policy to implement attribute-based access control (ABAC) and manage access to your AWS resources. For example, you have a music streaming application and let users listen to music files in an S3 bucket. If you want to only give read access to users federated from a social provider (i.e. Google) rather than ones from other providers, you can map the token issuer attribute to a tag in Amazon Cognito Identity Pools. You can then reference this tag in the AWS IAM permissions policy to allow or deny actions. You can further restrict read access to premium music to paid users, by putting the membership attribute in the condition statement in the AWS IAM permissions policy and tag these files with the matching paying member status. Any new users with the matching token issuer and membership attributes will automatically gain access to the S3 bucket and premium music without additional permissions update. This release complements the recently-launched ABAC capability from AWS SSO that enables you to use employee attributes as tags in a similar manner.

Amazon Cognito Identity Pools provides temporary, limited-privilege AWS credentials for authenticated and guest users federated from identity providers. These scoped credentials enable you to manage access permissions to AWS resources.

This feature is available via Cognito Identity Pools console, AWS SDK, and AWS CLI in all regions where Amazon Cognito operates. For a list of regions where Amazon Cognito is available, see the AWS Region Table. You can learn more about Amazon Cognito by visiting Developer Guide and get started via our webpage.