<![CDATA[Fuongz's Blog]]>https://blog.phuongphung.comRSS for NodeThu, 09 Apr 2026 11:22:07 GMT60<![CDATA[Securely Upload Files to S3 for Guests Using AWS Cognito]]>https://blog.phuongphung.com/aws-amplify-deploy-permissionshttps://blog.phuongphung.com/aws-amplify-deploy-permissionsFri, 30 Jan 2026 05:07:59 GMTFor security reasons, if you allow guest users to upload files from your app, it's better to use Guest Access from AWS Cognito instead of a direct AWS Access Key from an IAM User.

Why?

  • An IAM User access key is long-lived and never expires.

  • With AWS Cognito, you can decide how long the temporary guest access key will be valid.

Requirements:

  • AWS Cognito > Identity pool

  • S3 Bucket

Step-by-steps:

  1. Create Cognito Identity Pool

    1. Go to Amazon Cognito > Identity pools > Create identity pool

    2. Configure identity pool trust:

  • Select: Guest access (this enables unauthenticated)

  • Click Next

  1. Configure permissions:

  • Select: Create a new IAM role (Your AWS IAM account needs some permissions to do that)

    • iam:CreateRole (create role)

    • iam:PutRolePolicy (add inline policies)

    • iam:AttachRolePolicy (attach managed policies)

    • iam:DetachRolePolicy (detach managed policies)

    • iam:TagRole / iam:UntagRole (if you use tags)

  • Role name: guest-uploader-role or anything you want

  • Click Next

  1. Configure properties:

  • Identity pool name: guest-uploader-pool or anything you want

  • Click Next

  • Review and create > Click Create identity pool

  1. Create S3 Bucket

    1. Go to S3 > Click on the button Create bucket

    2. Fill-out your bucket data (eg. bucket name as guest-bucket)

    3. Click Create Bucket

  2. Add S3 Permission to the Role

    1. Go to IAM > Roles > search for guest-uploader-role (you created on the previous step)

    2. Click the role > Add permissions > Create inline policy

    3. Switch to JSON tab, paste:

       {
   "Version": "2012-10-17",
   "Statement": [{
     "Effect": "Allow",
     "Action": "s3:PutObject",
     "Resource": "arn:aws:s3:::guest-bucket/uploads/*"
   }]
 }
      • Note: Because I want to store all guest upload files in the /uploads folder, I put it in the source field.

    4. Click Next > Name it S3UploadPolicy > Create policy

  3. Update CORS for S3 bucket to allow your frontend to put file:

    1. Go to S3 > Click on bucket guest-bucket or anything you created from previous step

    2. Go to Permissions tab > Scroll down to Cross-origin resource sharing (CORS) (bottom of page)

    3. Click on Edit, paste:

       [
     {
         "AllowedHeaders": [
             "*"
         ],
         "AllowedMethods": [
             "PUT"
         ],
         "AllowedOrigins": [
             "[YOUR_FRONTEND_URL]",
         ],
         "ExposeHeaders": []
     }
 ]
      1. Click on Save Changes

Best Practices:

  1. For security reasons, it is advisable to block all public access to the S3 bucket.

  2. To optimize costs, consider setting a lifecycle policy for the bucket, such as deleting files after 6 months if they are not important.

]]>