En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

AWS Transfer Family - SFTP File Downloading Issue

1

I have the below Policy for SFTP users, Customer wants WRITE and LIST without GET. Using the below policy, still I can download the file. Can you please give me some suggestion about this.

{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket", "Sid": "AllowListingOfUserFolder" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket/" ], "Sid": "InboundDirObjectAccess" }, { "Action": [ "s3:PutObject", "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket///folder1/", "arn:aws:s3:::mybucket///folder2/" ], "Sid": "InboundDirObjectDenyobject" }, { "Action": "s3:PutObject", "Condition": { "StringLikeIfExists": { "s3:delimiter": [ "/" ] } }, "Effect": "Deny", "Resource": "arn:aws:s3:::mybucket//", "Sid": "DenyCreattionFolder" } ] }

Sujets
Migration et modernisationSécurité, identité et conformité
Balises
Transfert de famille AWSPolitiques IAM
Langue
English
nurunnubi
demandé il y a 7 mois388 vues
3 réponses
0
Réponse acceptée

Thanks @Steve_M It's works

nurunnubi
répondu il y a 7 mois
0

Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).

Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions

  • "Action": [ "s3:ListBucket" grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)
  • "Action": [ "s3:PutObject" grants permission to add an object to a bucket (which I think you may also want for WRITE)
  • "Action": [ "s3:GetObject" grants permission to retrieve objects from Amazon S3 (which you don't want for GET)

Consider amending the policy to remove the GetObject permission.

profile picture
EXPERT
Steve_M
répondu il y a 7 mois
profile pictureAWS
EXPERT
Didier_Durand
vérifié il y a 7 mois
  • nurunnubi
    il y a 7 mois

    if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

  • Steve_M EXPERT
    il y a 7 mois

    OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access

    provide access to write/upload and list objects in a bucket, but not read/download

    This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.

0

if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

nurunnubi
répondu il y a 7 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents