3 Answers
- Newest
- Most votes
- Most comments
0
Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).
Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
"Action": [ "s3:ListBucket"
grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)"Action": [ "s3:PutObject"
grants permission to add an object to a bucket (which I think you may also want for WRITE)"Action": [ "s3:GetObject"
grants permission to retrieve objects from Amazon S3 (which you don't want for GET)
Consider amending the policy to remove the GetObject permission.
0
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
answered 6 months ago
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access
This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.