I've already gone through the documentation and it closely mirrors my use-case except that I cannot use Google, Facebook or Amazon as my identity provider, but I already have an enterprise level OAuth 2.0 access token for authenticated users.

I understand that I could possibly use Enterprise Federated support from AWS STS to get temporary credentials and use them to further access the AWS resources but I fail to understand how can i configure the IAM Policy to use these credentials to achieve horizontal information hiding.

I have certain tables in DynamoDB in which I store the details of all the users of my application and my application supports multiple tenants so I want the users of one tenant to NOT being able to access data of other tenants. The IAM policy that I could configure is of the type:

"Condition": {
            "ForAllValues:StringEquals": {
               "dynamodb:LeadingKeys":  ["${www.amazon.com:user_id}"]
            }
        }

Now my users are NOT logged in via Amazon ( or Google or Facebook ) and hence I cannot use the keys like "${www.amazon.com:user_id}" etc. Also my hash key for some tables are composite.

So my question is how to achieve multi-tenancy at the database level and be able to segregate or separate data per tenant i.e. to hide certain rows of my tables from the users who should not have access on it.

Is it possible to specify custom Policy Variables while defining the IAM policy and specify how to resolve those at runtime ? Or some other way be ?

My tables in Dynamo currently have composite hash keys, which are a combination of Tenant_ID and User_ID so can I specify some kind of rule in the IAM Policy so that I should be able to achieve horizontal information hiding ?

Please let me know if you need more information about my use case.

Regards, Agraj

In order to enable fine-grained data access in DynamoDB, you must specify an IAM Policy Element Variable in the DynamoDB IAM policy.

A typical policy may look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccessToUserItems",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:table/*"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Where ${cognito-identity.amazonaws.com:sub} is an IAM policy variable representing the user's sub in Cognito.

Unfortunately Amazon do not publish a list of available policy variables. What this does mean though is that your user management has to be managed through Amazon to enable fine grained security. You cannot define your own policy variables - they have to be pre-defined Amazon variables - hence fine grained security is only available where your users are managed in Amazon.

Additionally your DynamoDB partition key has to match the policy variable. For example you table partition key would have to be the Cognito sub.

If your OAuth token was received from Cognito you can simply post it to the Amazon Token Endpoint, which will give you back an id_token which contain the users Cognito sub.