AWS File Transfer Logical directory Structure


Hi All,

We are trying to setup simple directory structure in S3 bucket for each user when they login to AWS file transfer SFTP server.

  1. ${transfer:UserName}/folder1
  2. ${transfer:UserName}/folder2

We have Active directory group A access added to File Transfer server. So only group A users will able to access file transfer server.

As soon as user login to SFTP, user should be able to see both child directory under his/her home directory and transfer files to respective directory.

Please advise how to achieve this?

1 Answer


Greetings of the day!

I can see that you need guidance regarding setting up permission for a user to access Transfer for SFTP.

I would like to mention that you can control a user's access to AWS Transfer Family resources by using an AWS Identity and Access Management (IAM) policy. An IAM policy is a statement, typically in JSON format, that allows a certain level of access to a resource. You use an IAM policy to define what file operations that you want to allow your users to perform and not perform. You can also use an IAM policy to define what Amazon S3 bucket or buckets that you want to give your users access to. To specify these policies for users, you create an IAM role for AWS Transfer Family that has the IAM policy and trust relationship associated with it.

Please refer below documents as they provide detailed information regarding providing access.

[+] Managing access controls -

[+] Creating a session policy for an Amazon S3 bucket -




Further, I request you to open a support case if you need any further assistance.

answered a year ago
  • Hi Rohan,

    Thanks for the reply. I went through the document and added access policy and IAM role as well but it is not working as expected.

    We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2

    I have setup below Access policy and IAM policy (attached to S3)

    create-access CLI:

    aws transfer create-access
    --home-directory-type LOGICAL
    --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]'
    --role arn:aws:iam::account_id:role/iam_role
    --server-id s-1234567876454ert
    --external-id S-1-2-34-56789123-12345678-1234567898-1234 access policy was created successfully.

    Below IAM role is attached to S3 bucket and file-transfer server.

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Effect": "Allow", "Sid": "ReadWriteS3" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion",

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions