Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS Transfer Family - SFTP File Listing issue

0

We are working on migrating SFTP from Azure to AWS and have come across the following issue. we are looking a solution from expertise

Requirement:

  1. SFTP Users should not be permitted to create new folders/directories.
  2. SFTP users should not be able list files in a directory, only write files.

Using the IAM policy provided below, we are able to achieve the first but not the second requirement.

If we uncomment out the statement for 'DenyListingObject', we are able to deny listing files but are not unable to upload. Do you know how we can get #2 to work?

SFTP user Policy:

policy = jsonencode({ Statement = [ { Sid = "AllowListingOfUserFolder", Action = [ "s3:ListBucket", "s3:GetBucketLocation" ] Effect = "Allow" Resource = "arn:aws:s3:::${var.sftp_bucket_name}" }, { Sid = "InboundDirObjectAccess", Action = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", ] Effect = "Allow" Resource = [ "arn:aws:s3:::${var.sftp_bucket_name}/*" ] },

    # {
    #     Sid = "DenyLisitingObject"
    #     Effect= "Deny",
    #     Action = [
    #         "s3:ListObject"
    #     ]
    #     Resource = "arn:aws:s3:::${var.sftp_bucket_name}/*/",
    #     Condition = {
    #         "StringLikeIfExists": {
    #             "s3:delimiter": ["/"]
    # }
    #     }

    #     },

 {
        Sid = "DenyCreattionFolder",
        Effect= "Deny",
        Action = "s3:PutObject",
        Resource= "arn:aws:s3:::${var.sftp_bucket_name}/*/",
        Condition = {
            "StringLikeIfExists": {
                "s3:delimiter": ["/"]
            }
        }
    }

]

}) }

Temas
Migración y modernizaciónSeguridad, identidad y cumplimiento
Etiquetas
AWS Transfer FamilyPolíticas de IAM
Idioma
English
nurunnubi
preguntada hace 7 meses443 visualizaciones
3 Respuestas
0
Respuesta aceptada

Transfer Family's current permission model does not support your need for write only access (#2). Can you send me a message at yoonmsuh@amazon.com so I can better understand your use case and raise a PFR on your behalf? Thank you

AWS
EXPERTO
AWSTransferFamily-SY
respondido hace 7 meses
profile picture
EXPERTO
Giovanni Lauria
revisado hace 2 meses
0

Thank you!! I already sent email to you about the details request. Let us know, if you need any more information.

nurunnubi
respondido hace 7 meses
0

For write-only via Transfer Service, a workaround I've implemented is to use KMS encryption on the bucket, but only grant "encrypt" to the key for the role used.

While the IAM policy still has to have getobject permissions, the lack of "decrypt" on the key prevents downloading.

It would be nice if Transfer Service natively supported this. Without "GetObject" sftp users cannot list (despite having ListBucket), which we need.

Aaron Dodd
respondido hace 2 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante