How can I implement file sharing between users with S3 + Amplify + Cognito?

:wave: Hallo

I have an app in which users upload paperwork for an “moderator” group to review.

Currently the files are uploaded to AWS and authentication is Cognito.

The goal: Normal users can’t access each other’s paperwork, but everyone in the moderator group can access a normal user’s paperwork.

It seems like this type of control may be possible using roles and policies attached to buckets, but I don’t have a lot of experience with IAM yet — does anyone have helpful tips about how to think about this pattern of file sharing?