AWS File Transfer IAM Role Access.

0

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement:

  1. User must be authenticated via third part identity provider which in Azure Authentication in our case.
  2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2
  3. User should be restricted to put files in either folder1 or folder2, not in their home directory.
  4. User should be able download the files only if specific tag is set on object/files in S3

So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket.

Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "yes"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": "DownloadAllowed"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "no"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Deny",
            "Sid": "DownloadNotAllowed"
        },
        {
            "Sid": "DenyMkdir",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::s3-bucket/*/*/"
        }
    ]
}

Within lambda where user authentication happens, I am returning user's homedirectory

HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}] 

also tried below but no luck

HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}]

User gets permission denied error when try to do "ls" in their home directory

sftp> ls
Couldn't read directory: Permission denied
1개 답변
0

Hello,

If you try to remove the condition "s3:ExistingObjectTag/allowdownload" from the "s3:GetObject" permission, are you still getting the "Permission Denied" error when listing?

AWS
답변함 일 년 전
  • Hi @Aws-Adrian

    Thanks for reply and apologies for late reply. I have question, if I remove condition, then any object would be downloadable whereas I want only specific tagged objects available to download.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠