By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS Transfer Family with custom policy

0

Hi Folks, This is driving me crazy.

I am trying to set up AWS session policy that is bound to logged user. I followed this:

https://docs.aws.amazon.com/transfer/latest/userguide/requirements-roles.html#iam-policy-procedure

Policy is identical to the post:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeFolder}/*",
                        "${transfer:HomeFolder}"
                    ]
                }
            }
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*"
        }
    ]
}

I am able to login but listing folders fail with access denied message in the log:

{
    "activity-type": "ERROR",
    "resource-arn": "arn:aws:transfer:us-east-1:123456789:server/s-4c2e20c02c9b434f8",
    "message": "Access denied",
    "session-id": "00239b9a2b32141f2edb"
}

If I attach second policy (below) to user role which allows access without any restriction then It works, but user has access to entire bucket, not to his own folder (as if 1st narrowed down policy is non existent):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::prod-sfpt-data"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::prod-sfpt-data/*"
        }
    ]
}

People suggested setting up two policies worked fine for them. Any help is appreciated.

Thanks.

asked 2 months ago118 views
2 Answers
1

An IAM session policy does not grant permissions. It only defines the maximum set of permissions that the identity-based policies attached to the IAM role and resource-based policies in the same AWS account can grant (with some exceptions for advanced use of resource-based policies), in the absence of other policy mechanisms that might restrict them further.

You need to have a broad policy that applies to all relevant users, like the one you included attached to the IAM role, and you can use the per-user session policy to scope it down to each individual user's home folder, for example.

EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • That is what I did, I have two policies one is broad and second one is narrowed down. The question I am trying to answer is why I am getting permission denied error. Note idp is lambda in my case

  • You mentioned that attaching the broader policy to the role made your setup work. Is that with or without the session policy?

  • It is with session policy, so when I have both policies (session and broad) linked to the role bucket becomes open without any restriction to folder, SFTP user can browse whole bucket. In another words session policy becomes ineffective.

  • The session policy is not attached to the role. You put it in the user's secret in AWS Secrets Manager. You can use a tool like Notepad++ and its JSTool plugin to "minify" the session policy JSON. Then search and replace all double quotes " with a backslash-escaped version of it \" and copy the resultant string as the value of the Policy attribute in the secret.

  • There is no user, idp is lambda based. The user is our custom database. IDP lambda will look up from db and allow user. User isn't present in IAM

0

The issue you're experiencing with AWS Transfer Family and custom session policies is likely related to how the session policy is being applied and interpreted. Here are a few points to consider:

  1. Session policies in AWS Transfer Family are stored as JSON blobs, not as ARNs. Make sure you're passing the policy as a JSON blob in the Policy argument when creating or updating the user.

  2. The session policy you've provided uses variables like ${transfer:HomeBucket} and ${transfer:HomeFolder}. Ensure that these variables are being correctly populated with the appropriate values for your setup.

  3. The session policy only applies when the domain of the ServerId is Amazon S3. If you're using Amazon EFS, session policies are not used.

  4. The second policy you've attached to the user role is less restrictive and allows broader access to the S3 bucket. This is why it works when attached.

To troubleshoot:

  1. Double-check that the HomeDirectory and HomeDirectoryType are correctly set for your user.

  2. Verify that the ${transfer:HomeBucket} and ${transfer:HomeFolder} variables are being correctly substituted with the actual values.

  3. Ensure that the Policy is being correctly applied to the user. You can use the UpdateUser or CreateUser API to set or update the session policy.

  4. Consider temporarily broadening the permissions in your session policy to see if that resolves the issue, then gradually restrict them to find the right balance.

  5. Check CloudTrail logs for more detailed information about the access denied errors.

If the issue persists, you may need to contact AWS support for further assistance, as there might be a specific configuration detail in your setup that's causing the problem.

Sources
CreateUser - AWS Transfer Family
UpdateUser - AWS Transfer Family
CreateAccess - AWS Transfer Family

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions