The Security Team that has joined our task force told us that it is essential to have RBAC (Role-Based Access Control) properly configured in the Alien Attack architecture. We’ve tried to address this in the code, but have discovered that the version of AWS CDK that we are using doesn’t allow us to solve our problem this way unless we create a Custom Resource. Nobody on our team knows how to do this or has time to learn, so it looks like we will have to find an easier way.
You’re curious about what version of the AWS CDK we are using that causes this roadblock, so you navigate to the terminal in the Cloud9 console and enter the following command:
cdk --version. What output do you see?
We’re in luck! One of the SysAdmins has a playbook to implement RBAC for our application. She has just sent over the guidance. Let’s try to leverage it.
What are we fixing? The Identity Pool configuration is missing the configuration of the roles for both of your groups (Managers and Players/Gamers). We need to attach the proper roles to the user when the user signs in to the application.
Let’s take a look at the playbook we received.
<YourEnvironmentName>ManagersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2ManagersRole.
<YourEnvironmentName>PlayersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2PlayersRole.
For this step, we have two fast fixes:
1. An alternative configuration: get the roles from the token
Everything that was described in the Solution Guidance is a configuration to guide Cognito to read a certain “claim” from the ID token, and considering the configuration, to define the appropriate role for the user. You can read more about it here.
So, here there is a shortcut for the configuration, as Cognito can automatically search for the ‘cognito:preferred_role’ claim. So, we can replace the steps from 7 and on from the previous list, with this configuration:
When using Cognito UserPools, this is the preferred (and easier) way of configuring RBAC. If you have custom claims on your JWT token, then use the first approach.
2. Using a fix script
The Fast Fix for this step is written in a file named fixcognito.sh. In your Cloud9 environment, navigate to the folder alienattack.workshop:
Run the following command: