Transfer Family Error

Question

Hello, I am receiving an error when using Amazon Transfer for SFTP. I can list and delete objects but I cannot write new objects. I receive error "open for write: Access denied." I have the below permissions policy (I have edited the last line of the policy to remove sensitive information).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeFolder}/*",
                        "${transfer:HomeFolder}"
                    ]
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:PutObjectACL",
                "s3:PutObject",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${transfer:HomeDirectory}/*",
                "arn:aws:s3:::${transfer:HomeDirectory}*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:111111:key/111111"
        }
    ]
}

Answer

Good day.

Per your policy, it appears that you have an implicit deny (not permit) on the bucket to PutObjects.
Because of this, the individual objects do not have anything to inherit for write actions.

You should be able to adjust this by adding each object as a resource along with the folder that you added: 
   "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/", "arn:aws:s3:::${transfer:HomeDirectory}/*",

Hope this helps!

Jason H.

Answer

I think you just need to change the second policy to apply to all directory's objects like that

```
{
    "Effect": "Allow",
    "Action": [
        "s3:PutObjectACL",
	"s3:PutObject",
	"s3:GetObjectVersion",
	"s3:GetObjectACL",
	"s3:GetObject",
	"s3:DeleteObjectVersion",
	"s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*"
},
```

Transfer Family Error

관련 콘텐츠