AWS File Transfer Logical directory Structure

0

Hi All,

We are trying to setup simple directory structure in S3 bucket for each user when they login to AWS file transfer SFTP server.

  1. ${transfer:UserName}/folder1
  2. ${transfer:UserName}/folder2

We have Active directory group A access added to File Transfer server. So only group A users will able to access file transfer server.

As soon as user login to SFTP, user should be able to see both child directory under his/her home directory and transfer files to respective directory.

Please advise how to achieve this?

1개 답변
0

Hello,

Greetings of the day!

I can see that you need guidance regarding setting up permission for a user to access Transfer for SFTP.

I would like to mention that you can control a user's access to AWS Transfer Family resources by using an AWS Identity and Access Management (IAM) policy. An IAM policy is a statement, typically in JSON format, that allows a certain level of access to a resource. You use an IAM policy to define what file operations that you want to allow your users to perform and not perform. You can also use an IAM policy to define what Amazon S3 bucket or buckets that you want to give your users access to. To specify these policies for users, you create an IAM role for AWS Transfer Family that has the IAM policy and trust relationship associated with it.

Please refer below documents as they provide detailed information regarding providing access.

[+] Managing access controls - https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html

[+] Creating a session policy for an Amazon S3 bucket - https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#users-policies-session

[+] https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html

[+] https://aws.amazon.com/blogs/apn/designing-a-multi-tenant-sftp-server-with-aws-transfer-family/

[+] https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/

Further, I request you to open a support case if you need any further assistance.

AWS
지원 엔지니어
Rohan_S
답변함 일 년 전
  • Hi Rohan,

    Thanks for the reply. I went through the document and added access policy and IAM role as well but it is not working as expected.

    We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2

    I have setup below Access policy and IAM policy (attached to S3)

    create-access CLI:

    aws transfer create-access
    --home-directory-type LOGICAL
    --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]'
    --role arn:aws:iam::account_id:role/iam_role
    --server-id s-1234567876454ert
    --external-id S-1-2-34-56789123-12345678-1234567898-1234 access policy was created successfully.

    Below IAM role is attached to S3 bucket and file-transfer server.

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Effect": "Allow", "Sid": "ReadWriteS3" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion",

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠