AWS Transfer Family cannot download with S3 Versioning enabled

Question

Hi all,  
  
I have enabled the s3 versioning on the bucket connected with AWS Transfer Family since I wanted to use the replication feature for  certain folder in the sftp bucket.  
Unfortunately, since I've enabled it now I cannot download any file from the bucket using an sftp connection. The upload works fine but the download fails with access denied.  
  
I have a custom identity provider which return the policy below when the user authenticates:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "user-folder/*",
                        "user-folder"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}
```

Edited by: sa-dem on Dec 8, 2020 2:05 PM

Answer

I've also tried to suspend the versioning but still cannot download files.

Answer

You are totally right, on the transfer aws role I only had s3:*object permission.

Answer

Hello sa-dem,   
  
Going through the scopedown policy associated, I don't seem to be able to find anything wrong with the policy. You have granted List permissions to your bucket provided the prefix matches the condition statement. Further, you have granted HomeDirectoryObject access for READ/WRITE/DELETE commands. I would say it is a pretty straightforward ScopeDown Policy.   
  
Concerning the Access Denied error for downloads, could you confirm if there are no bucket policies on the S3 Bucket or any Explicit Deny conditions that might block READ or GetObject actions on the bucket?   
Also, could you confirm if the IAM Role associated to the AWS Transfer user has sufficient permissions to access the bucket and the objects? If permissions are missing on the IAM Role, you would experience Access Denied from S3 as ScopeDown Policies do not grant permissions. Rather, they assist you to restrict a particular set of permissions. Therefore, permissions specified within a ScopeDown policy should be a subset of permissions present on the IAM Role.    
Concerning READ operations, you would need GetObject, GetObjectVersion and GetObjectAcl on both the User's IAM Role and the ScopeDown Policy as your bucket has versioning enabled. Could you confirm if these permissions are present for the User? If not, could you update and test?  
  
I look forward to your update. If you are still experiencing Access Denied errors, please private message me with the resource details and I would be happy to help out.   
  
Thanks,   
Sagar

AWS Transfer Family cannot download with S3 Versioning enabled

관련 콘텐츠