AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Transfer Family does not use S3 default encryption - SFTP - access denied

0

Hi, I have AWS Transfer Family configured on a private S3 backend storage with a default encryption enabled. I'm able to download the files from S3, but uploading files throws an access denied error. We have precisely the same problem for buckets with default encryption set to either SSE-S3, SSE-KMS (s3 alias) or CMK. The role policy associated with a Transfer Family user grants full access to s3 and the CMK key as well. To verify the policy associated with the role, I assumed a role with the same policy and executed 'aws s3 cp' command, and this completes successfully, as long as I provide '--sse' server site encryption arguments. Could it be that AWS Transfer Family does not pass along correct server site encryption information while uploading files?

Regards, Chris

주제
스토리지마이그레이션 및 현대화
태그
아마존 심플 스토리지 서비스AWS 트랜스퍼 패밀리
언어
English
rePost-User-3326948
질문됨 일 년 전806회 조회
5개 답변
1
수락된 답변

OK, it turned out that we have an SCP policy which enforces us to include the x-amz-server-side-encryption header for each s3:PutObject. Since it is not what AWS Transfer family does, we're getting that access denied error. So the solution is to exclude Transfer Family service from that SCP.

rePost-User-3326948
답변함 일 년 전
0

have you checked the server logs ? and if you saw below error then You must specify additional permissions in your policy to grant the required AWS Key Management Service (AWS KMS) permissions. For details, you can check below link

https://docs.aws.amazon.com/transfer/latest/userguide/encryption-at-rest.html

ERROR Message="Access denied" Operation=CLOSE Path=/bucket/user/test.txt BytesIn=13 ERROR Message="Access denied"

Sachin
답변함 일 년 전
  • rePost-User-3326948
    일 년 전

    Yes, I'm getting the following error in the server logs. ERROR Message="Access denied" Operation=CLOSE Path=/sftp2/abc/test.txt BytesIn=194

    However, the bucket key is specified in the policy { "Sid": "EncryptionInAWSTransferFamily", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:eu-north-1::key/<key-id>" }

    Also, the IAM role that is used for the user is allowed in the AWS KMS key policy.

0

Could it be the Key Policy does not allow the role?

Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.
profile pictureAWS
전문가
kentrad
답변함 일 년 전
0

Make sure you gave right access to user on key used in S3.

Sachin
답변함 일 년 전
0

I have the same issue with uploading files into SFTP server to S3 bucket getting "Access Denied" error. I can already download existing files successfully from SFTP server which are encrypted in S3 bucket, so the KMS key access works. Also it works with the same configuration in our old AWS account (all KMS permissions granted to IAM role and within KMS key policy). Probably in this old AWS account there were no SCP policies enabled.

Our problem might be caused by our SCP policy as well that enforces x-amz-server-side-encryption header

We also can't upload new files to S3 bucket using AWS console, it only works if we set the hidden option "Properties" -> "Server-side encryption" -> "Specify an encryption key" -> "Use bucket settings for default encryption". Similar when using AWS CLI we have to set the additional params or otherwise we get Access Denied as well: aws s3 cp [...] --server-side-encryption aws:kms aws s3api put-object [...] --sse aws:kms

MK
답변함 7달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠