By using AWS re:Post, you agree to the Terms of Use

AWS Transfer Family cannot download with S3 Versioning enabled

0

Hi all,

I have enabled the s3 versioning on the bucket connected with AWS Transfer Family since I wanted to use the replication feature for certain folder in the sftp bucket.
Unfortunately, since I've enabled it now I cannot download any file from the bucket using an sftp connection. The upload works fine but the download fails with access denied.

I have a custom identity provider which return the policy below when the user authenticates:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "user-folder/*",
                        "user-folder"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject*",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

Edited by: sa-dem on Dec 8, 2020 2:05 PM

asked 2 years ago134 views
3 Answers
0

I've also tried to suspend the versioning but still cannot download files.

answered 2 years ago
0

Hello sa-dem,

Going through the scopedown policy associated, I don't seem to be able to find anything wrong with the policy. You have granted List permissions to your bucket provided the prefix matches the condition statement. Further, you have granted HomeDirectoryObject access for READ/WRITE/DELETE commands. I would say it is a pretty straightforward ScopeDown Policy.

Concerning the Access Denied error for downloads, could you confirm if there are no bucket policies on the S3 Bucket or any Explicit Deny conditions that might block READ or GetObject actions on the bucket?
Also, could you confirm if the IAM Role associated to the AWS Transfer user has sufficient permissions to access the bucket and the objects? If permissions are missing on the IAM Role, you would experience Access Denied from S3 as ScopeDown Policies do not grant permissions. Rather, they assist you to restrict a particular set of permissions. Therefore, permissions specified within a ScopeDown policy should be a subset of permissions present on the IAM Role.
Concerning READ operations, you would need GetObject, GetObjectVersion and GetObjectAcl on both the User's IAM Role and the ScopeDown Policy as your bucket has versioning enabled. Could you confirm if these permissions are present for the User? If not, could you update and test?

I look forward to your update. If you are still experiencing Access Denied errors, please private message me with the resource details and I would be happy to help out.

Thanks,
Sagar

EXPERT
answered 2 years ago
0

You are totally right, on the transfer aws role I only had s3:*object permission.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions