AWS File Transfer IAM Role Access.

0

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement:

  1. User must be authenticated via third part identity provider which in Azure Authentication in our case.
  2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2
  3. User should be restricted to put files in either folder1 or folder2, not in their home directory.
  4. User should be able download the files only if specific tag is set on object/files in S3

So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket.

Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "yes"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": "DownloadAllowed"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "no"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Deny",
            "Sid": "DownloadNotAllowed"
        },
        {
            "Sid": "DenyMkdir",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::s3-bucket/*/*/"
        }
    ]
}

Within lambda where user authentication happens, I am returning user's homedirectory

HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}] 

also tried below but no luck

HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}]

User gets permission denied error when try to do "ls" in their home directory

sftp> ls
Couldn't read directory: Permission denied
1 réponse
0

Hello,

If you try to remove the condition "s3:ExistingObjectTag/allowdownload" from the "s3:GetObject" permission, are you still getting the "Permission Denied" error when listing?

AWS
répondu il y a un an
  • Hi @Aws-Adrian

    Thanks for reply and apologies for late reply. I have question, if I remove condition, then any object would be downloadable whereas I want only specific tagged objects available to download.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions