En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

AWS Transfer Family - SFTP File Listing issue

0

We are working on migrating SFTP from Azure to AWS and have come across the following issue. we are looking a solution from expertise

Requirement:

  1. SFTP Users should not be permitted to create new folders/directories.
  2. SFTP users should not be able list files in a directory, only write files.

Using the IAM policy provided below, we are able to achieve the first but not the second requirement.

If we uncomment out the statement for 'DenyListingObject', we are able to deny listing files but are not unable to upload. Do you know how we can get #2 to work?

SFTP user Policy:

policy = jsonencode({ Statement = [ { Sid = "AllowListingOfUserFolder", Action = [ "s3:ListBucket", "s3:GetBucketLocation" ] Effect = "Allow" Resource = "arn:aws:s3:::${var.sftp_bucket_name}" }, { Sid = "InboundDirObjectAccess", Action = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", ] Effect = "Allow" Resource = [ "arn:aws:s3:::${var.sftp_bucket_name}/*" ] },

    # {
    #     Sid = "DenyLisitingObject"
    #     Effect= "Deny",
    #     Action = [
    #         "s3:ListObject"
    #     ]
    #     Resource = "arn:aws:s3:::${var.sftp_bucket_name}/*/",
    #     Condition = {
    #         "StringLikeIfExists": {
    #             "s3:delimiter": ["/"]
    # }
    #     }

    #     },

 {
        Sid = "DenyCreattionFolder",
        Effect= "Deny",
        Action = "s3:PutObject",
        Resource= "arn:aws:s3:::${var.sftp_bucket_name}/*/",
        Condition = {
            "StringLikeIfExists": {
                "s3:delimiter": ["/"]
            }
        }
    }

]

}) }

Sujets
Migration et modernisationSécurité, identité et conformité
Balises
Transfert de famille AWSPolitiques IAM
Langue
English
nurunnubi
demandé il y a 7 mois442 vues
3 réponses
0
Réponse acceptée

Transfer Family's current permission model does not support your need for write only access (#2). Can you send me a message at yoonmsuh@amazon.com so I can better understand your use case and raise a PFR on your behalf? Thank you

AWS
EXPERT
AWSTransferFamily-SY
répondu il y a 7 mois
profile picture
EXPERT
Giovanni Lauria
vérifié il y a un mois
0

Thank you!! I already sent email to you about the details request. Let us know, if you need any more information.

nurunnubi
répondu il y a 7 mois
0

For write-only via Transfer Service, a workaround I've implemented is to use KMS encryption on the bucket, but only grant "encrypt" to the key for the role used.

While the IAM policy still has to have getobject permissions, the lack of "decrypt" on the key prevents downloading.

It would be nice if Transfer Service natively supported this. Without "GetObject" sftp users cannot list (despite having ListBucket), which we need.

Aaron Dodd
répondu il y a 2 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents