Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

AWS Transfer Family - SFTP File Downloading Issue

1

I have the below Policy for SFTP users, Customer wants WRITE and LIST without GET. Using the below policy, still I can download the file. Can you please give me some suggestion about this.

{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket", "Sid": "AllowListingOfUserFolder" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket/" ], "Sid": "InboundDirObjectAccess" }, { "Action": [ "s3:PutObject", "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket///folder1/", "arn:aws:s3:::mybucket///folder2/" ], "Sid": "InboundDirObjectDenyobject" }, { "Action": "s3:PutObject", "Condition": { "StringLikeIfExists": { "s3:delimiter": [ "/" ] } }, "Effect": "Deny", "Resource": "arn:aws:s3:::mybucket//", "Sid": "DenyCreattionFolder" } ] }

Tópicos
Migração e modernizaçãoSegurança, identidade e conformidade
Tags
Família AWS TransferPolíticas do IAM
Idioma
English
nurunnubi
feita há 7 meses388 visualizações
3 Respostas
0
Resposta aceita

Thanks @Steve_M It's works

nurunnubi
respondido há 7 meses
0

Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).

Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions

  • "Action": [ "s3:ListBucket" grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)
  • "Action": [ "s3:PutObject" grants permission to add an object to a bucket (which I think you may also want for WRITE)
  • "Action": [ "s3:GetObject" grants permission to retrieve objects from Amazon S3 (which you don't want for GET)

Consider amending the policy to remove the GetObject permission.

profile picture
ESPECIALISTA
Steve_M
respondido há 7 meses
profile pictureAWS
ESPECIALISTA
Didier_Durand
avaliado há 7 meses
  • nurunnubi
    há 7 meses

    if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

  • Steve_M ESPECIALISTA
    há 7 meses

    OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access

    provide access to write/upload and list objects in a bucket, but not read/download

    This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.

0

if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

nurunnubi
respondido há 7 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante