Limit SFTP access to specific subfolders only

1

Hi all, I've setup an SFTP server with AWS Transfer Family with "sftp-server" S3 bucket as storage. I created "subfolder01", "subfolder02", "subfolder03", etc in the bucket. I defined an SFTP user and set "sftp-server" as his restricted home folder. And I want to give him read/write permissions to "subfolder01" and "subfolder02" only, while no access to all the other subfolders. But when the user connects, he sees an empty list of his home folder, and he can only access the two subfolders if he manually types the "subfolder01/" or "subfolder02/" path, in Filezilla. I would like him to see the list of all the subfolders when he connects, or better, to see only the two subfolders that he has access to. This is the policy assigned to the role of the user:

{

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::sftp-server"
    },
    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObjectAcl",
            "s3:GetObject",
            "s3:DeleteObjectVersion",
            "s3:DeleteObject",
            "s3:PutObjectAcl",
            "s3:GetObjectVersion"
        ],
        "Resource": [
	"arn:aws:s3:::sftp-server/subfolder01/*",
	"arn:aws:s3:::sftp-server/subfolder02/*"
    ]
    }
]

}

and this is Trusted Entities of his role:

{

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "transfer.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

}

Can you please help me?

Mauro L
asked 8 months ago503 views
1 Answer
1
Accepted Answer

Hello Mauro,

In regards to your question, the reason why the operation is failing at root bucket level is due to missing HeadObject permissions on the root of the bucket. The permission set that your IAM Role entity has grants permissions to contents within the subfolders and not the subfolders themselves. Therefore, a List operation to root of the bucket fails, however when you explicitly specify the path, the operation succeeds.

To get around this, you could provide permissions within the IAM entity to be able to issue a HeadObject call at root of the bucket. This will then allow you to list and then only allow actions within the specified subfolders.

Example policy -

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::sftp-server"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::sftp-server/*/"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::sftp-server/subfolder01/*",
                "arn:aws:s3:::sftp-server/subfolder02/*"
            ]
        }
    ]

}

Could you test this above policy and confirm if it works as desired?

Further to your point - or better, to see only the two subfolders that he has access to, this would be more satisfied by using Logical Directories. Logical Directories allows Users to be mapped to certain directories. Within your User configuration, you could setup the sub-folders as HomeDirectories which would then allow Users to only access them and not any other sub-folders.

Considering the same example as above, the HomeDirectory configuration would look like -

[
    {"Entry": "/subfolder01", "Target": "/bucket1/subfolder01"}, 
    {"Entry": "/subfolder02", "Target": "/bucket1/subfolder02"},
]

The permissions model within your IAM Role shall be the same as what you mentioned in your question. When the User logs in, they would see this setup as -

sftp> pwd
Remote working directory: /
sftp> ls
subfolder01     subfolder02
sftp>

If you are setting up your User from Console, the Console equivalent to this is the Restricted checkbox. However, console limits it to only 1 folder. If you require multiple folders within Logical Directories, you would have to use the CLI or the API to configure the same.

Sample AWS-CLI command: aws transfer update-user --server-id <> --user-name <> --home-directory-type LOGICAL --home-directory-mappings '[{"Entry": "/subfolder01", "Target": "/bucket1/subfolder01"}, {"Entry": "/subfolder02", "Target": "/bucket1/subfolder02"}]'

Please update the Policies and CLI commands as required by your use-case.

References:

Logical Directories: https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html

AWS CLI - update-user: https://docs.aws.amazon.com/cli/latest/reference/transfer/update-user.html

Let me know if you have further questions.

EXPERT
answered 8 months ago
  • I was able to reach my goal following your instructions about Logical Directories, thanks! Just a note, I run your sample command in PowerShell (Window 10), and had to use double " symbols, to make it work. So, this is the command that worked for me: aws transfer update-user --server-id <> --user-name <> --home-directory-type LOGICAL --home-directory-mappings '[{""Entry"": ""/subfolder01"", ""Target"": ""/bucket1/subfolder01""}, {""Entry"": ""/subfolder02"", ""Target"": ""/bucket1/subfolder02""}]'

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions