AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

AWS Transfer Family - SFTP File Listing issue

0

We are working on migrating SFTP from Azure to AWS and have come across the following issue. we are looking a solution from expertise

Requirement:

  1. SFTP Users should not be permitted to create new folders/directories.
  2. SFTP users should not be able list files in a directory, only write files.

Using the IAM policy provided below, we are able to achieve the first but not the second requirement.

If we uncomment out the statement for 'DenyListingObject', we are able to deny listing files but are not unable to upload. Do you know how we can get #2 to work?

SFTP user Policy:

policy = jsonencode({ Statement = [ { Sid = "AllowListingOfUserFolder", Action = [ "s3:ListBucket", "s3:GetBucketLocation" ] Effect = "Allow" Resource = "arn:aws:s3:::${var.sftp_bucket_name}" }, { Sid = "InboundDirObjectAccess", Action = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", ] Effect = "Allow" Resource = [ "arn:aws:s3:::${var.sftp_bucket_name}/*" ] },

    # {
    #     Sid = "DenyLisitingObject"
    #     Effect= "Deny",
    #     Action = [
    #         "s3:ListObject"
    #     ]
    #     Resource = "arn:aws:s3:::${var.sftp_bucket_name}/*/",
    #     Condition = {
    #         "StringLikeIfExists": {
    #             "s3:delimiter": ["/"]
    # }
    #     }

    #     },

 {
        Sid = "DenyCreattionFolder",
        Effect= "Deny",
        Action = "s3:PutObject",
        Resource= "arn:aws:s3:::${var.sftp_bucket_name}/*/",
        Condition = {
            "StringLikeIfExists": {
                "s3:delimiter": ["/"]
            }
        }
    }

]

}) }

トピック
移行と近代化セキュリティ、アイデンティティ、コンプライアンス
タグ
AWS Transfer FamilyIAM ポリシー
言語
English
nurunnubi
質問済み 7ヶ月前443ビュー
3回答
0
承認された回答

Transfer Family's current permission model does not support your need for write only access (#2). Can you send me a message at yoonmsuh@amazon.com so I can better understand your use case and raise a PFR on your behalf? Thank you

AWS
エキスパート
AWSTransferFamily-SY
回答済み 7ヶ月前
profile picture
エキスパート
Giovanni Lauria
レビュー済み 2ヶ月前
0

Thank you!! I already sent email to you about the details request. Let us know, if you need any more information.

nurunnubi
回答済み 7ヶ月前
0

For write-only via Transfer Service, a workaround I've implemented is to use KMS encryption on the bucket, but only grant "encrypt" to the key for the role used.

While the IAM policy still has to have getobject permissions, the lack of "decrypt" on the key prevents downloading.

It would be nice if Transfer Service natively supported this. Without "GetObject" sftp users cannot list (despite having ListBucket), which we need.

Aaron Dodd
回答済み 2ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ