AWS Amplify Storage permissions, S3 bucket

Question

I'm developing a customer care app with Amazon AWS Amplify where every customer have their own login credentials and after logging in, they can create a new ticket and upload also some attachments.

I have three Cognito groups: Admins, Moderators, Customers.

I created a new storage with Amplify CLI and restricted access by groups in this way:

Admins -> create/update, read, delete

Moderators -> create/update, read

Customers -> create/update, read

Then, when in my code I upload the attachments, I use the "Private" scope: https://docs.amplify.aws/lib/storage/configureaccess/q/platform/js/

What I need it's allow a customer to upload files, see them but not delete. Other customers cannot do anything on files uploaded by other custumers, they cannot see them or doing anything. The users belonging to the moderators group can see all files but cannot delete them. The users belonging to the admin group instead can see all files uploaded to every customers and also delete them.

The problem it's that with the scope "Private", a customer can upload and see their files, but the admin users cannot even see them. If I set the "Protected" scope, a customer can upload and see their files, the admin users can manage them but potentialy also other customers can see this files, because the "Protected" scope, according to documentation, it's "Readable by all users".

How can I set the "Private" scope, so every customer can see only their files, but users belonging to the admin group or moderators group can also manage them?

Answer 1

What I did for my project is used amplify override storage to rewrite my access policies. Overriding creates an override.ts file in Storage. You can then write custom policies for your use case. Here is an example:

import { AmplifyS3ResourceTemplate } from '@aws-amplify/cli-extensibility-helper';

export function override(resources: AmplifyS3ResourceTemplate) {

 resources.addCfnResource({
    "type": "AWS::IAM::Policy",
    "properties": {
        "PolicyDocument": {
            "Statement": [
                {
                    "Action": [
                        "s3:GetObject",
                        "s3:GetObjectAcl",
                        "s3:PutObject",
                        "s3:PutObjectAcl",
                        "s3:ListBucket"
                    ],
                    "Effect": "Allow",
                    "Resource": {
                        "Fn::Join": [
                            "",
                            [
                                "arn:aws:s3:::",
                                {
                                    "Ref": "S3Bucket"
                                },
                                "*"
                            ]
                        ]
                    }
                }
            ],
            "Version": "2012-10-17"
        },
        "PolicyName": "CognitoGroup-policy-override",
        "Roles": [
            {
                "Fn::Join": [
                    "",
                    [
                        {
                            "Ref": "EXISTING_USER_POOL_ID_REF"
                        },
                        "-ExistingGroupRole"
                    ]
                ]
            }
        ]
    }
}, "CustomizeAccessForCognitoGroup");
}