3回答
- 新しい順
- 投票が多い順
- コメントが多い順
0
Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).
Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
"Action": [ "s3:ListBucket"grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)"Action": [ "s3:PutObject"grants permission to add an object to a bucket (which I think you may also want for WRITE)"Action": [ "s3:GetObject"grants permission to retrieve objects from Amazon S3 (which you don't want for GET)
Consider amending the policy to remove the GetObject permission.
0
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
回答済み 7ヶ月前
関連するコンテンツ
AWS公式更新しました 3年前
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access
This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.