By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to Create an SFTP User with Access to Specific Folders in AWS Transfer Family?

0

Hi guys, I need help with creating an SFTP user in AWS Transfer Family that has access to specific folders within an S3 bucket. Here are the details: Current Setup: I have an S3 bucket named abc-sftp. I currently have an SFTP user who has access to the root directory. I need to create a new user who will have access only to a specific directory (test) within the bucket.

Requirements: A user that has access only to the test directory within the S3 bucket. User can see all files in the test directory but cannot download or upload files to it. I want to modify this user's permissions so that they can upload and download files.

Current IAM Role and Policy: Here is the IAM policy attached to the SFTP user's role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Condition": {
"StringLike": {
"s3:prefix": "test/"
}
},
"Resource": "arn:aws:s3:::abc-sftp"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:DeleteObjectVersion",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::abc-sftp/test/
"
}
]
}

The trust relationship for the IAM role is as follows:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

Questions: How can I modify the second user's permissions so that they can upload and download files from the test directory?

1 Answer
1

To create an SFTP user with access to specific folders in AWS Transfer Family and modify their permissions to allow uploading and downloading files, you can follow these steps:

  1. First, ensure you have an SFTP-enabled server set up in AWS Transfer Family.

  2. To add a new user with access to the specific 'test' directory:

    a. Go to the AWS Transfer Family console and select your server. b. Choose "Add user". c. Enter a username for the new user. d. For Access, select the IAM role you've created with the policy you provided.

  3. The IAM policy you've shared already grants the necessary permissions for the user to access the 'test' directory within the 'abc-sftp' bucket. This policy allows listing the contents of the 'test' directory, as well as getting, putting, deleting, and managing object ACLs within that directory.

  4. To enable the user to upload and download files, you don't need to modify the policy as it already includes the required permissions:

    • 's3:GetObject' allows downloading files
    • 's3:PutObject' allows uploading files
  5. If the user still can't upload or download files, double-check that:

    • The IAM role is correctly attached to the user in AWS Transfer Family.
    • The trust relationship for the IAM role is correctly set up (which it appears to be based on what you've provided).
    • The S3 bucket permissions allow the actions defined in the IAM policy.
  6. To restrict the user to only the 'test' directory, you can set the user's home directory in AWS Transfer Family: a. In the user's settings, find the "Home directory" option. b. Set it to '/abc-sftp/test'.

  7. If you want to provide a logical view of just the 'test' directory to the user: a. In the user's settings, enable "Restrict user to home directory". b. This will make the 'test' directory appear as the root directory to the user.

By following these steps, you should have a user who can list, upload, and download files specifically within the 'test' directory of your 'abc-sftp' S3 bucket using SFTP through AWS Transfer Family.
Sources
Getting started with AWS Transfer Family server endpoints - AWS Transfer Family
Configure SFTP connectors - AWS Transfer Family
Create an SFTP-enabled server - AWS Transfer Family

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions