API Gateway Authorizer to Static S3 Bucket

We have a website which contain multiple smaller sites (in sub folders). A user or guest could have access to 1 or more of the smaller sites. How should we go about hiding and blocking a sub folder from a guest or authenticated user? The goal for us here is to use static S3 buckets, API Gateway, Lambdas, and Cognito.

Any help or direction would be appreciated.


This is probably what you want:

But you have to use cloudfront

This is another solution that requires Cognito authentication.


I believe there are policy variables available for role_names but I have not tried using them. You would replace ${cognito-identity.amazonaws.com:sub} with a role_name variable.

role id:caller-specified-role-name
where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRoleWithWebIdentity request.

1 Like

You could use a custom authenticator that takes in JWT tokens. You would control the access via REST paths rather than the specific buckets, but just use JWT grants, the rest path, or some other identifier to route to the proper path in the bucket for your CRUD operations.