Hello,
I am looking for guidance on setting up scope down policy for FTPS users on the transfer family service.
Within the lambda function that does the user authentication, i am attempting to add the policy JSON to the response body as described in the documentation.
.....
response = {
Role: 'arn:aws:iam::xxxxxxx:role/assumedRoleForTransferService',
Policy: myPolicyJSON,
HomeDirectory: ''
};
.......
The scope down policy looks similar to what SFTP scope down users would use except I am not using the transfer variables (eg. ${transfer:HomeDirectory}) as I suspect they don't work because with FTPS there are no "managed" users to map the variables to. Instead my lambda will dynamically replace variables in the policy dependent on logic within the lambda.
Adding the scope down policy to the lambda response creates an error when connecting to the server. Removing the scope down policy from the lambda allows me to connect and upload but then I am not restricted within the bucket.
My user scope down policy JSON looks like this prior to replacing the dyanmic variables with the appropriate user paths.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket" ,
"Condition": {
"StringLike": {
"s3:prefix": [
"DYNAMIC_USER_VARIABLE/",
"DYNAMIC_USER_VARIABLE"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::mybucket/DYNAMIC_USER_VARIABLE/"
}
]
}
Is scope down policies a part of the FTPS service? If so is there any glaring issue in my policy JSON above?
thanks in advance!
AWS OFFICIALUpdated 10 months ago
