Application-Level Authorization and Fine-Grained Access Control

This guide covers the implementation of fine-grained access control (FGAC) at the application level, a critical skill for the AWS Certified Developer - Associate (DVA-C02) exam. We explore how to move beyond basic authentication to secure individual resources and data patterns using AWS services like Amazon Cognito and IAM.

Learning Objectives

By the end of this study guide, you should be able to:

• Differentiate between Authentication (AuthN) and Authorization (AuthZ).
• Implement Amazon Cognito User Pools for identity management and Identity Pools for resource access.
• Design Fine-Grained Access Control (FGAC) patterns to restrict user access to specific data rows or objects.
• Apply the Principle of Least Privilege (POLP) to application permissions.
• Utilize JSON Web Tokens (JWTs) to pass authorization claims between microservices.

Key Terms & Glossary

• Authentication (AuthN): The process of verifying who a user is (e.g., logging in with a password).
• Authorization (AuthZ): The process of verifying what a user is allowed to do (e.g., deleting a specific file).
• Fine-Grained Access Control (FGAC): Security that restricts access to high-level resources down to the item or attribute level (e.g., User A can only see Database Row 123).
• Bearer Token: A security token (like a JWT) that grants access to the "bearer"; if you have the token, you are authorized to the extent the token allows.
• RBAC (Role-Based Access Control): Permissions assigned based on a user's job function (e.g., "Manager" vs. "Employee").
• ABAC (Attribute-Based Access Control): Permissions assigned based on attributes like department, location, or project tags.

The "Big Idea"

Application-level authorization is the "Last Mile" of security. While standard infrastructure security might prevent an outsider from entering your network, application-level authorization ensures that once a user is inside the app, they cannot see or modify other users' data. It shifts the focus from "Can this user access the database?" to "Can this user access this specific record in the database?"

Formula / Concept Box

Hierarchical Outline

• I. Foundations of Application Security
  • Principle of Least Privilege (POLP): Always grant the minimum permissions required for a task.
  • Safe by Design: Building security into the architecture from the start rather than as an after-thought.
• II. Amazon Cognito Architecture
  • User Pools: The user directory. Provides sign-up/sign-in and issues JWT tokens (ID, Access, Refresh).
  • Identity Pools: The bridge to AWS. Swaps tokens/identities for temporary AWS credentials (via IAM roles).
• III. Implementing Fine-Grained Access Control (FGAC)
  • DynamoDB Fine-Grained Access: Using IAM policy conditions to allow users to access only items where the Partition Key equals their user_id.
  • S3 Prefix Security: Restricting users to specific folders (e.g., s3://my-app-bucket/home/${user_id}/).
  • API Gateway Lambda Authorizers: Custom logic to validate tokens and determine if a request should proceed.

Visual Anchors

Authorization Flow (Federated Identity)

Access Control Layers

\begin{tikzpicture}[scale=0.8] \draw[thick, fill=blue!10] (0,0) circle (4cm); \node at (0,3.2) {\textbf{Network Security (VPC, WAF)}}; \draw[thick, fill=green!10] (0,0) circle (2.5cm); \node at (0,1.8) {\textbf{IAM / Infrastructure}}; \draw[thick, fill=red!10] (0,0) circle (1cm); \node at (0,0) {\textbf{FGAC}}; \end{tikzpicture}

Definition-Example Pairs

• Identity Federation: Linking a user's identity across multiple identity providers.
  • Example: Logging into a custom Todo List app using your existing Google or Facebook account instead of creating a new username/password.
• Policy Condition Keys: Specific variables used in IAM policies to provide dynamic authorization.
  • Example: Using dynamodb:LeadingKeys to ensure a user can only perform GetItem if the Primary Key matches their unique Cognito Identity ID.
• Web Identity Federation: The process of swapping a token from a web IdP for AWS credentials.
  • Example: A mobile app getting a JWT from Amazon Cognito and then calling AssumeRoleWithWebIdentity to get access to an S3 bucket.

Worked Examples

Scenario: Restricting DynamoDB Access to "Owner Only"

Goal: Create an IAM policy for a multi-tenant Todo app where users can only read their own tasks.

Step 1: Identify the variable. When a user authenticates via Cognito Identity Pools, their unique ID is available in the IAM policy context as ${cognito-identity.amazonaws.com:sub}.

Step 2: Write the Policy.

Explanation: This policy ensures that the Partition Key (Leading Key) of the item being accessed must match the user's specific Cognito ID.

Checkpoint Questions

1. What is the primary difference between a Cognito User Pool and a Cognito Identity Pool?
2. Why is storing credentials directly in application code considered a high security risk?
3. In an IAM policy, which Condition key is commonly used to implement fine-grained access control for DynamoDB partition keys?
4. What type of token is typically used to carry authorization claims between a client and an API Gateway?
5. How does the Principle of Least Privilege (POLP) improve application security?

▶Click to see answers

1. User Pools handle Authentication (directories, profiles), while Identity Pools handle Authorization (granting AWS credentials).
2. It makes credentials vulnerable to source code leaks, hardcoding issues, and lacks the ability to easily rotate or expire secrets.
3. dynamodb:LeadingKeys.
4. JWT (JSON Web Token), specifically an Access or Identity token.
5. It limits the "blast radius" if a user or component is compromised, ensuring they only have the bare minimum access needed.