Role based Access Control over API gateway/Lambda or DynamoDB AND S3


I’m wondering on how should I control the access level to my app for different user roles. By example: Let’s say I have normal users, which only have permissions to list products, get a given product and order one or more products. In the other hand, I have some few admin users, who can add, delete, edit products and process (Complete, cancel, etc) orders generated by normal users.

What should be the best way to achieve that? And How?

I’ve been thinking about it, and reading a lot about IAM Roles, Groups and Policies, and given the set up Serverless-stack I’m not clear if we should create a Role fro the Current user to restrict access to the “Admin” API Gateway (Those actions for admin stuff) and grant all permissions to the Lambda function against DynamoDB, OR should we set the policies for the user based on something against DynamoDB directly? Since the notes app, is for the current user only. The same regarding the S3 Bucket.

Tahnk you very much!

You can take a look at Cognito User Groups. I know some of our readers have used it to extend the tutorial.