使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

AWS File Transfer IAM Role Access.

0

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement:

  1. User must be authenticated via third part identity provider which in Azure Authentication in our case.
  2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2
  3. User should be restricted to put files in either folder1 or folder2, not in their home directory.
  4. User should be able download the files only if specific tag is set on object/files in S3

So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket.

Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "yes"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": "DownloadAllowed"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "no"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Deny",
            "Sid": "DownloadNotAllowed"
        },
        {
            "Sid": "DenyMkdir",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::s3-bucket/*/*/"
        }
    ]
}

Within lambda where user authentication happens, I am returning user's homedirectory

HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}]

also tried below but no luck

HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}]

User gets permission denied error when try to do "ls" in their home directory

sftp> ls
Couldn't read directory: Permission denied
主题
无服务器计算迁移与现代化安全、身份和合规性
标签
AWS LambdaAWS Transfer for SFTPAWS Transfer FamilyIAM 策略
语言
English
snowcoder_07
已提问 1 年前287 查看次数
1 回答
0

Hello,

If you try to remove the condition "s3:ExistingObjectTag/allowdownload" from the "s3:GetObject" permission, are you still getting the "Permission Denied" error when listing?

AWS
AWS-AdrianZ
已回答 1 年前
  • snowcoder_07
    1 年前

    Hi @Aws-Adrian

    Thanks for reply and apologies for late reply. I have question, if I remove condition, then any object would be downloadable whereas I want only specific tagged objects available to download.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容