I am creating a SPA app, (single page application) I would like to store user specific data in dynamodb, so when user creates and account (via cognito), ie:
Cognito User {
userId
}
the system stores private data for that user in dynamoDb, ie:
{
userId: string,
shoppingList: [],
privateData
}
then I need to create an API to store and access that data, but how do I ensure that the requestor is the correct user? can I use the token value from OAuth to check if the requestor is the right user?
basically I don't want other valid user to query another user data, if they somehow find the userId value.
Use IAM Fine Grained Access Control for DynamoDB. The trust policy of the role determines which identity providers are accepted (e.g. Login with Amazon, Facebook, or Google) and the access policy determines which AWS resources (e.g. the DynamoDB tables, items, and attributes) can be accessed.
https://aws.amazon.com/blogs/aws/fine-grained-access-control-for-amazon-dynamodb/