By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Transfer Family Error

0

Hello, I am receiving an error when using Amazon Transfer for SFTP. I can list and delete objects but I cannot write new objects. I receive error "open for write: Access denied." I have the below permissions policy (I have edited the last line of the policy to remove sensitive information).

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::${transfer:HomeBucket}", "Condition": { "StringLike": { "s3:prefix": [ "${transfer:HomeFolder}/", "${transfer:HomeFolder}" ] } } }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObjectACL", "s3:PutObject", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::${transfer:HomeDirectory}/", "arn:aws:s3:::${transfer:HomeDirectory}*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111111:key/111111" } ] }

  • A-Shevchenko
    2 years ago

    It seems content of your policy is broken because of formatting. Can you try to format it using Markdown syntax (wrap it into triple backticks)?

Topics
Security, Identity, & ComplianceMigration & Modernization
Tags
AWS Identity and Access ManagementAWS Transfer for SFTP
Language
English
aclark
asked 2 years ago450 views
2 Answers
0

Good day.

Per your policy, it appears that you have an implicit deny (not permit) on the bucket to PutObjects. Because of this, the individual objects do not have anything to inherit for write actions.

You should be able to adjust this by adding each object as a resource along with the folder that you added: "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/", "arn:aws:s3:::${transfer:HomeDirectory}/*",

Hope this helps!

Jason H.

AWS
Jason_H
answered 2 years ago
0

I think you just need to change the second policy to apply to all directory's objects like that

{
    "Effect": "Allow",
    "Action": [
        "s3:PutObjectACL",
	"s3:PutObject",
	"s3:GetObjectVersion",
	"s3:GetObjectACL",
	"s3:GetObject",
	"s3:DeleteObjectVersion",
	"s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*"
},
profile picture
MG
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content