AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Transfer Family - SFTP File Downloading Issue

1

I have the below Policy for SFTP users, Customer wants WRITE and LIST without GET. Using the below policy, still I can download the file. Can you please give me some suggestion about this.

{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket", "Sid": "AllowListingOfUserFolder" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket/" ], "Sid": "InboundDirObjectAccess" }, { "Action": [ "s3:PutObject", "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket///folder1/", "arn:aws:s3:::mybucket///folder2/" ], "Sid": "InboundDirObjectDenyobject" }, { "Action": "s3:PutObject", "Condition": { "StringLikeIfExists": { "s3:delimiter": [ "/" ] } }, "Effect": "Deny", "Resource": "arn:aws:s3:::mybucket//", "Sid": "DenyCreattionFolder" } ] }

주제
마이그레이션 및 현대화보안, 신원 및 규정 준수
태그
AWS 트랜스퍼 패밀리IAM 정책
언어
English
nurunnubi
질문됨 7달 전389회 조회
3개 답변
0
수락된 답변

Thanks @Steve_M It's works

nurunnubi
답변함 7달 전
0

Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).

Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions

  • "Action": [ "s3:ListBucket" grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)
  • "Action": [ "s3:PutObject" grants permission to add an object to a bucket (which I think you may also want for WRITE)
  • "Action": [ "s3:GetObject" grants permission to retrieve objects from Amazon S3 (which you don't want for GET)

Consider amending the policy to remove the GetObject permission.

profile picture
전문가
Steve_M
답변함 7달 전
profile pictureAWS
전문가
Didier_Durand
검토됨 7달 전
  • nurunnubi
    7달 전

    if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

  • Steve_M 전문가
    7달 전

    OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access

    provide access to write/upload and list objects in a bucket, but not read/download

    This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.

0

if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

nurunnubi
답변함 7달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠