By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I troubleshoot an "Access Denied" or "Permission Denied" error for operations on my AWS Transfer Family server?

3 minute read
0

When I perform read, write, list, or delete operations on my AWS Transfer Family server, I receive an "Access Denied" or "Permission Denied" error.

Resolution

To troubleshoot your Transfer Family configuration, revise the permissions for the associated AWS service.

Amazon S3 permissions

Make sure that the AWS Identity and Access Management (IAM) role and policy for your Transfer Family server grants access to your AWS resources. To grant read/write access to an Amazon Simple Storage Service (Amazon S3) bucket, use the following example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
        }
    ]
}

Make sure that the roles trust policy allows access to "transfer.amazonaws.com" and looks similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

For more information, see Example read/write access policy.

AWS KMS encryption permissions

To allow encryption in Transfer Family, the IAM role policy attached to the user must grant the required AWS Key Management Service (AWS KMS) permissions.

To grant permissions to use Transfer Family with an Amazon S3 bucket enabled for AWS KMS encryption, use the following example:

{
    "Sid": "Stmt1544140969635",
    "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey",
        "kms:GetPublicKey",
        "kms:ListKeyPolicies"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:kms:region:account-id:key/kms-key-id"
}

For more information, see Data protection and encryption.

Amazon EFS permissions

To use Transfer Family with Amazon Elastic File System (Amazon EFS), the IAM role policy must grant access to your file system.

To grant the ClientMount read action and the ClientWrite write action permissions to the IAM role EFS-role-for-transfer, use the following example IAM policy:

{
    "Version": "2012-10-17",
    "Id": "efs-policy-wizard-8698b356-4212-4d30-901e-ad2030b57762",
    "Statement": [
        {
            "Sid": "Grant-transfer-role-access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/EFS-role-for-transfer"
            },
            "Action": [
                "elasticfilesystem:ClientWrite",
                "elasticfilesystem:ClientMount"
            ]
        }
    ]
}

For more information, see Using AWS Transfer Family to transfer data.

Cross-account permissions

To use Transfer Family to access your file system with another AWS account, you must grant the account access to your file system.

For more information, see How do I configure my AWS Transfer Family server to use an Amazon S3 bucket that's in another AWS account?.

Topics
Migration & Modernization
Tags
AWS Transfer Family
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
No comments

Relevant content