Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

AWS Transfer Family - SFTP File Downloading Issue

1

I have the below Policy for SFTP users, Customer wants WRITE and LIST without GET. Using the below policy, still I can download the file. Can you please give me some suggestion about this.

{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket", "Sid": "AllowListingOfUserFolder" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket/" ], "Sid": "InboundDirObjectAccess" }, { "Action": [ "s3:PutObject", "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket///folder1/", "arn:aws:s3:::mybucket///folder2/" ], "Sid": "InboundDirObjectDenyobject" }, { "Action": "s3:PutObject", "Condition": { "StringLikeIfExists": { "s3:delimiter": [ "/" ] } }, "Effect": "Deny", "Resource": "arn:aws:s3:::mybucket//", "Sid": "DenyCreattionFolder" } ] }

Argomenti
Migrazione e modernizzazioneSicurezza, identità e conformità
Tag
AWS Transfer FamilyPolitiche IAM
Lingua
English
nurunnubi
posta 7 mesi fa388 visualizzazioni
3 Risposte
0
Risposta accettata

Thanks @Steve_M It's works

nurunnubi
con risposta 7 mesi fa
0

Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).

Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions

  • "Action": [ "s3:ListBucket" grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)
  • "Action": [ "s3:PutObject" grants permission to add an object to a bucket (which I think you may also want for WRITE)
  • "Action": [ "s3:GetObject" grants permission to retrieve objects from Amazon S3 (which you don't want for GET)

Consider amending the policy to remove the GetObject permission.

profile picture
ESPERTO
Steve_M
con risposta 7 mesi fa
profile pictureAWS
ESPERTO
Didier_Durand
verificato 7 mesi fa
  • nurunnubi
    7 mesi fa

    if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

  • Steve_M ESPERTO
    7 mesi fa

    OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access

    provide access to write/upload and list objects in a bucket, but not read/download

    This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.

0

if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

nurunnubi
con risposta 7 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente