Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Getting access denied error for SFTP user

0

I am getting access denied for user when WINSCP tries to list the directory structure, "Error listing directory '/.'"

I have the following policy for user

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET234"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::BUCKET234/*"
}
]
}

This is the trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

There is no scope down policy, what am i missing ?

Temas
Migración y modernización
Etiquetas
AWS Transfer Family
Idioma
English
avijaws
preguntada hace 3 años6083 visualizaciones
1 Respuesta
0

Hello avijaws,

Based on the error provided it looks like WinSCP is trying to list root "/" and it is failing. If you are not using the restricted option (logical directories) for your User and you try to list the root "/" the operation will give an Access Denied if you do not have permissions to list all the buckets (s3:ListAllMyBuckets).

On WinSCP under Advanced Site Settings of your Session -> Environment -> Directories you can Uncheck the option "Remember last used directory" and also clear the "Remote directory" field so it wont connect to "/".

Another option is to use logical directories or the Restricted option if you are using the AWS Transfer Console. Find your User, edit the configuration, select the bucket and optionally the home directory and click the restricted option. By doing that the user will be restricted (chroot) to his home folder and when WinSCP tries to list the root "/" the content of the home directory will be listed since the root will be mapped to the /bucket/folder.

I hope the above information is helpful. Please feel free to write back if you still have issues.

Kind regards,
Panagiotis

AWS-User-0349305
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante