3. Role-Based Access Control

Implement Role-Based Access Control

The Security Team that has joined our task force told us that it is essential to have RBAC (Role-Based Access Control) properly configured in the Alien Attack architecture. We’ve tried to address this in the code, but have discovered that the version of AWS CDK that we are using doesn’t allow us to solve our problem this way unless we create a Custom Resource. Nobody on our team knows how to do this or has time to learn, so it looks like we will have to find an easier way.

You’re curious about what version of the AWS CDK we are using that causes this roadblock, so you navigate to the terminal in the Cloud9 console and enter the following command: cdk --version. What output do you see?

We’re in luck! One of the SysAdmins has a playbook to implement RBAC for our application. She has just sent over the guidance. Let’s try to leverage it.

What are we fixing? The Identity Pool configuration is missing the configuration of the roles for both of your groups (Managers and Players/Gamers). We need to attach the proper roles to the user when the user signs in to the application.

Hint: Click here to see a diagram of your broken architecture.

Solution Guidance

Let’s take a look at the playbook we received.

  1. From your AWS Management Console, visit the Amazon Cognito Console. Make sure you are still in the region you chose at the beginning of this workshop.
  2. If you see the Cognito landing page, select Manage Identity Pools. Otherwise, if you have landed on the User Pools configuration page, select Federated Identities at the top of your window.
  3. You will see an Identity Pool named after the Environment Name you selected. Click on it.
  4. At the top righthand corner of the page, there is a small button labeled Edit Identity Pool. Click on it.
  5. Scroll down and expand the section labeled Authentication Providers.
  6. Select the Cognito tab just to be sure that you have selected Cognito as your provider.
  7. In the section labeled Authenticated role selection, select Use default role > Choose role with rules. We will create two rules: the Managers Rule and the Players Rule.
  8. Create the Managers Rule
    • In the Claim field, insert the value cognito:preferred_role.
    • Click the dropdown to the right of the field and select Contains.
    • In the input field to the right of the Contains box, insert the value <YourEnvironmentName>ManagersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2ManagersRole.
    • In the dropdown to the right, select YourEnvironmentNameManagersRole.
  9. Select Add another rule.
  10. Create the Players Rule
    • In the Claim field, insert the value cognito:preferred_role.
    • Click the dropdown to the right of the field and select Contains.
    • In the input field to the right of the Contains box, insert the value <YourEnvironmentName>PlayersRole. (Check for typos and use uppercase for the “YourEnvironmentName” part. If your environment name is r2d2, the role name should look like R2D2PlayersRole.
    • In the dropdown to the right, select YourEnvironmentNamePlayersRole.
  11. Role resolution: Select Deny
  12. Review the Claim and Role fields for possible typos. Your updates should look something like this: Image
  13. Leave all other defaults and select Save changes.
Stuck? Click here for a Fast Fix