AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Transfer Family - SFTP File Listing issue

0

We are working on migrating SFTP from Azure to AWS and have come across the following issue. we are looking a solution from expertise

Requirement:

  1. SFTP Users should not be permitted to create new folders/directories.
  2. SFTP users should not be able list files in a directory, only write files.

Using the IAM policy provided below, we are able to achieve the first but not the second requirement.

If we uncomment out the statement for 'DenyListingObject', we are able to deny listing files but are not unable to upload. Do you know how we can get #2 to work?

SFTP user Policy:

policy = jsonencode({ Statement = [ { Sid = "AllowListingOfUserFolder", Action = [ "s3:ListBucket", "s3:GetBucketLocation" ] Effect = "Allow" Resource = "arn:aws:s3:::${var.sftp_bucket_name}" }, { Sid = "InboundDirObjectAccess", Action = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", ] Effect = "Allow" Resource = [ "arn:aws:s3:::${var.sftp_bucket_name}/*" ] },

    # {
    #     Sid = "DenyLisitingObject"
    #     Effect= "Deny",
    #     Action = [
    #         "s3:ListObject"
    #     ]
    #     Resource = "arn:aws:s3:::${var.sftp_bucket_name}/*/",
    #     Condition = {
    #         "StringLikeIfExists": {
    #             "s3:delimiter": ["/"]
    # }
    #     }

    #     },

 {
        Sid = "DenyCreattionFolder",
        Effect= "Deny",
        Action = "s3:PutObject",
        Resource= "arn:aws:s3:::${var.sftp_bucket_name}/*/",
        Condition = {
            "StringLikeIfExists": {
                "s3:delimiter": ["/"]
            }
        }
    }

]

}) }

주제
마이그레이션 및 현대화보안, 신원 및 규정 준수
태그
AWS 트랜스퍼 패밀리IAM 정책
언어
English
nurunnubi
질문됨 7달 전442회 조회
3개 답변
0
수락된 답변

Transfer Family's current permission model does not support your need for write only access (#2). Can you send me a message at yoonmsuh@amazon.com so I can better understand your use case and raise a PFR on your behalf? Thank you

AWS
전문가
AWSTransferFamily-SY
답변함 7달 전
profile picture
전문가
Giovanni Lauria
검토됨 2달 전
0

Thank you!! I already sent email to you about the details request. Let us know, if you need any more information.

nurunnubi
답변함 7달 전
0

For write-only via Transfer Service, a workaround I've implemented is to use KMS encryption on the bucket, but only grant "encrypt" to the key for the role used.

While the IAM policy still has to have getobject permissions, the lack of "decrypt" on the key prevents downloading.

It would be nice if Transfer Service natively supported this. Without "GetObject" sftp users cannot list (despite having ListBucket), which we need.

Aaron Dodd
답변함 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠