By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

AWS Transfer Family does not use S3 default encryption - SFTP - access denied

0

Hi, I have AWS Transfer Family configured on a private S3 backend storage with a default encryption enabled. I'm able to download the files from S3, but uploading files throws an access denied error. We have precisely the same problem for buckets with default encryption set to either SSE-S3, SSE-KMS (s3 alias) or CMK. The role policy associated with a Transfer Family user grants full access to s3 and the CMK key as well. To verify the policy associated with the role, I assumed a role with the same policy and executed 'aws s3 cp' command, and this completes successfully, as long as I provide '--sse' server site encryption arguments. Could it be that AWS Transfer Family does not pass along correct server site encryption information while uploading files?

Regards, Chris

Topics
StorageMigration & Transfer
Tags
Amazon Simple Storage ServiceAWS Transfer Family
Language
English
rePost-User-3326948
asked a month ago56 views
4 Answers
0
Accepted Answer

OK, it turned out that we have an SCP policy which enforces us to include the x-amz-server-side-encryption header for each s3:PutObject. Since it is not what AWS Transfer family does, we're getting that access denied error. So the solution is to exclude Transfer Family service from that SCP.

rePost-User-3326948
answered a month ago
0

have you checked the server logs ? and if you saw below error then You must specify additional permissions in your policy to grant the required AWS Key Management Service (AWS KMS) permissions. For details, you can check below link

https://docs.aws.amazon.com/transfer/latest/userguide/encryption-at-rest.html

ERROR Message="Access denied" Operation=CLOSE Path=/bucket/user/test.txt BytesIn=13 ERROR Message="Access denied"

Sachin
answered a month ago
  • rePost-User-3326948 a month ago

    Yes, I'm getting the following error in the server logs. ERROR Message="Access denied" Operation=CLOSE Path=/sftp2/abc/test.txt BytesIn=194

    However, the bucket key is specified in the policy { "Sid": "EncryptionInAWSTransferFamily", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:eu-north-1::key/<key-id>" }

    Also, the IAM role that is used for the user is allowed in the AWS KMS key policy.

0

Could it be the Key Policy does not allow the role?

Unless the key policy explicitly allows it, you cannot use IAM policies to allow access to a KMS key. Without permission from the key policy, IAM policies that allow permissions have no effect.
profile picture
AWS
EXPERT
kentrad
answered a month ago
0

Make sure you gave right access to user on key used in S3.

Sachin
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content