3 réponses
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).
Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
"Action": [ "s3:ListBucket"
grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)"Action": [ "s3:PutObject"
grants permission to add an object to a bucket (which I think you may also want for WRITE)"Action": [ "s3:GetObject"
grants permission to retrieve objects from Amazon S3 (which you don't want for GET)
Consider amending the policy to remove the GetObject permission.
0
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
répondu il y a 7 mois
Contenus pertinents
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a un an
- demandé il y a 9 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 3 ans
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access
This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.