AWS File Transfer IAM Role Access.

0

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement:

  1. User must be authenticated via third part identity provider which in Azure Authentication in our case.
  2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2
  3. User should be restricted to put files in either folder1 or folder2, not in their home directory.
  4. User should be able download the files only if specific tag is set on object/files in S3

So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket.

Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "yes"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": "DownloadAllowed"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "no"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Deny",
            "Sid": "DownloadNotAllowed"
        },
        {
            "Sid": "DenyMkdir",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::s3-bucket/*/*/"
        }
    ]
}

Within lambda where user authentication happens, I am returning user's homedirectory

HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}] 

also tried below but no luck

HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}]

User gets permission denied error when try to do "ls" in their home directory

sftp> ls
Couldn't read directory: Permission denied
1 Antwort
0

Hello,

If you try to remove the condition "s3:ExistingObjectTag/allowdownload" from the "s3:GetObject" permission, are you still getting the "Permission Denied" error when listing?

AWS
beantwortet vor einem Jahr
  • Hi @Aws-Adrian

    Thanks for reply and apologies for late reply. I have question, if I remove condition, then any object would be downloadable whereas I want only specific tagged objects available to download.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen