Edit this page

AWS Alien Attack: A Serverless Adventure > Journey: Serverless Fundamentals > Level 1: Fix AWS Alien Attack > 3. Role-Based Access Control

3. Role-Based Access Control

Implement Role-Based Access Control

The Security Team that has joined our task force told us that it is essential to have RBAC (Role-Based Access Control) properly configured in the Alien Attack architecture. We’ve tried to address this in the code, but have discovered that the version of AWS CDK that we are using doesn’t allow us to solve our problem this way unless we create a Custom Resource. Nobody on our team knows how to do this or has time to learn, so it looks like we will have to find an easier way.

You’re curious about what version of the AWS CDK we are using that causes this roadblock, so you navigate to the terminal in the Cloud9 console and enter the following command: cdk --version. What output do you see?

We’re in luck! One of the SysAdmins has a playbook to implement RBAC for our application. She has just sent over the guidance. Let’s try to leverage it.

What are we fixing? The Identity Pool configuration is missing the configuration of the roles for both of your groups (Managers and Players/Gamers). We need to attach the proper roles to the user when the user signs in to the application.

Hint: Click here to see a diagram of your broken architecture.

Solution Guidance

Let’s take a look at the playbook we received.

From your AWS Management Console, visit the Amazon Cognito Console. Make sure you are still in the region you chose at the beginning of this workshop.
If you see the Cognito landing page, select Manage Identity Pools. Otherwise, if you have landed on the User Pools configuration page, select Federated Identities at the top of your window.
You will see an Identity Pool named after the Environment Name you selected. Click on it.
At the top righthand corner of the page, there is a small button labeled Edit Identity Pool. Click on it.
Scroll down and expand the section labeled Authentication Providers.
Select the Cognito tab just to be sure that you have selected Cognito as your provider.
In the section labeled Authenticated role selection, select Use default role > Choose role with rules. We will create two rules: the Managers Rule and the Players Rule.
Create the Managers Rule
- In the Claim field, insert the value cognito:preferred_role.
- Click the dropdown to the right of the field and select Contains.
- In the input field to the right of the Contains box, insert the value <YourEnvironmentName>ManagersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2ManagersRole.
- In the dropdown to the right, select YourEnvironmentNameManagersRole.
Select Add another rule.
Create the Players Rule
- In the Claim field, insert the value cognito:preferred_role.
- Click the dropdown to the right of the field and select Contains.
- In the input field to the right of the Contains box, insert the value <YourEnvironmentName>PlayersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2PlayersRole.
- In the dropdown to the right, select YourEnvironmentNamePlayersRole.
Role resolution: Select Deny
Review the Claim and Role fields for possible typos. Your updates should look something like this:
Leave all other defaults and select Save changes.

Stuck? Click here for a Fast Fix

For this step, we have two fast fixes:

1. An alternative configuration: get the roles from the token

Everything that was described in the Solution Guidance is a configuration to guide Cognito to read a certain “claim” from the ID token, and considering the configuration, to define the appropriate role for the user. You can read more about it here.

So, here there is a shortcut for the configuration, as Cognito can automatically search for the ‘cognito:preferred_role’ claim. So, we can replace the steps from 7 and on from the previous list, with this configuration:

On the section Authenticated role selection there is a select button labeled as Use default role. Click on this button and select Choose role from token. The interface will show up another button, so you can define the Role Resolution.
For Role resolution, click on the button where it is indicated Use default Authenticated role, and change it to DENY. Here we are saying that “If there is any conflict, just deny the access” .
Scroll down and click Save Changes. And that’s it. You can skip all the other steps.

When using Cognito UserPools, this is the preferred (and easier) way of configuring RBAC. If you have custom claims on your JWT token, then use the first approach.

2. Using a fix script

The Fast Fix for this step is written in a file named fixcognito.sh. In your Cloud9 environment, navigate to the folder alienattack.workshop:

cd ~/environment/aws-alien-attack/infrastructure/

Run the following command:

source fixcognito.sh