I want to build an application to save data input from my user in DynamoDB and/or S3. Usually I use API Gateway and Lambda for this. With users authenticated by Cognito.
So far so easy. Now I want this data to be secured in a way, that only the user can read it – not me as the admin/programmer.
How can I do this in the AWS ecosystem? Any key pair that cognito creates and no admin gets, maybe? Is it possible at all?
2
Answers
Reading between the lines, it sounds like you’re missing the point about what AWS is and what it isn’t. It sounds like you’re trying to treat AWS as a glorified IDE on steroids.
AWS isn’t that.
Ultimately it sounds like what you are trying to achieve here is some kind of application level encryption at rest, in a similar vein for how WhatsApp end to end encryption works where the application owner (aka. WhatsApp, or to translate this in your example, your AWS Account) cannot in any way see the data that is stored/transmitted.
WhatsApp did a whitepaper on their end to end encryption which may be worth a read – https://scontent-ord5-2.xx.fbcdn.net/v/t39.8562-6/384251896_820338303082371_8514785982310046047_n.pdf?_nc_cat=100&ccb=1-7&_nc_sid=e280be&_nc_ohc=zPJ9jzb_1qIQ7kNvgFBxL8s&_nc_ht=scontent-ord5-2.xx&oh=00_AYCNCQD7V9ZmNmItUjZJkI4islRQT64Haajijq_9KG2QcA&oe=66B47591
If you do want to try and use AWS as an IDE, then it’s worth starting to look at AWS Amplify which is what that service is trying to achieve.
It is always difficult to block Admin access to data.
For example, think of a company that is storing pay information and personal information about employees. They probably don’t want an IT Admin accessing that data but the HR folks don’t know how to manage IT infrastructure. Ultimately, somebody with the right skills has to ‘have the keys’ to the IT infrastructure.
One option is to store sensitive data in a different AWS Account that has minimal access. This doesn’t totally solve the problem, but it reduces the number of people who might have access to the data.
To do it fully so that nobody has access to the data, you would need to encrypt the data using a key that only the user knows (eg their password). Decrypting the data would require the password. If a user loses their password, then they have also lost access to their data.