By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Transfer Family - SFTP File Downloading Issue

1

I have the below Policy for SFTP users, Customer wants WRITE and LIST without GET. Using the below policy, still I can download the file. Can you please give me some suggestion about this.

{ "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket", "Sid": "AllowListingOfUserFolder" }, { "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket/" ], "Sid": "InboundDirObjectAccess" }, { "Action": [ "s3:PutObject", "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::mybucket///folder1/", "arn:aws:s3:::mybucket///folder2/" ], "Sid": "InboundDirObjectDenyobject" }, { "Action": "s3:PutObject", "Condition": { "StringLikeIfExists": { "s3:delimiter": [ "/" ] } }, "Effect": "Deny", "Resource": "arn:aws:s3:::mybucket//", "Sid": "DenyCreattionFolder" } ] }

Topics
Migration & ModernizationSecurity, Identity, & Compliance
Tags
AWS Transfer FamilyIAM Policies
Language
English
nurunnubi
asked 6 months ago371 views
3 Answers
0
Accepted Answer

Thanks @Steve_M It's works

nurunnubi
answered 6 months ago
0

Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).

Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions

  • "Action": [ "s3:ListBucket" grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)
  • "Action": [ "s3:PutObject" grants permission to add an object to a bucket (which I think you may also want for WRITE)
  • "Action": [ "s3:GetObject" grants permission to retrieve objects from Amazon S3 (which you don't want for GET)

Consider amending the policy to remove the GetObject permission.

profile picture
EXPERT
Steve_M
answered 6 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago
  • nurunnubi
    6 months ago

    if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

  • Steve_M EXPERT
    6 months ago

    OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access

    provide access to write/upload and list objects in a bucket, but not read/download

    This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.

0

if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.

nurunnubi
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content