使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

AWS Transfer Family - SFTP File Listing issue

0

We are working on migrating SFTP from Azure to AWS and have come across the following issue. we are looking a solution from expertise

Requirement:

  1. SFTP Users should not be permitted to create new folders/directories.
  2. SFTP users should not be able list files in a directory, only write files.

Using the IAM policy provided below, we are able to achieve the first but not the second requirement.

If we uncomment out the statement for 'DenyListingObject', we are able to deny listing files but are not unable to upload. Do you know how we can get #2 to work?

SFTP user Policy:

policy = jsonencode({ Statement = [ { Sid = "AllowListingOfUserFolder", Action = [ "s3:ListBucket", "s3:GetBucketLocation" ] Effect = "Allow" Resource = "arn:aws:s3:::${var.sftp_bucket_name}" }, { Sid = "InboundDirObjectAccess", Action = [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", ] Effect = "Allow" Resource = [ "arn:aws:s3:::${var.sftp_bucket_name}/*" ] },

    # {
    #     Sid = "DenyLisitingObject"
    #     Effect= "Deny",
    #     Action = [
    #         "s3:ListObject"
    #     ]
    #     Resource = "arn:aws:s3:::${var.sftp_bucket_name}/*/",
    #     Condition = {
    #         "StringLikeIfExists": {
    #             "s3:delimiter": ["/"]
    # }
    #     }

    #     },

 {
        Sid = "DenyCreattionFolder",
        Effect= "Deny",
        Action = "s3:PutObject",
        Resource= "arn:aws:s3:::${var.sftp_bucket_name}/*/",
        Condition = {
            "StringLikeIfExists": {
                "s3:delimiter": ["/"]
            }
        }
    }

]

}) }

主题
迁移与现代化安全、身份和合规性
标签
AWS Transfer FamilyIAM 策略
语言
English
nurunnubi
已提问 7 个月前443 查看次数
3 回答
0
已接受的回答

Transfer Family's current permission model does not support your need for write only access (#2). Can you send me a message at yoonmsuh@amazon.com so I can better understand your use case and raise a PFR on your behalf? Thank you

AWS
专家
AWSTransferFamily-SY
已回答 7 个月前
profile picture
专家
Giovanni Lauria
已审核 2 个月前
0

Thank you!! I already sent email to you about the details request. Let us know, if you need any more information.

nurunnubi
已回答 7 个月前
0

For write-only via Transfer Service, a workaround I've implemented is to use KMS encryption on the bucket, but only grant "encrypt" to the key for the role used.

While the IAM policy still has to have getobject permissions, the lack of "decrypt" on the key prevents downloading.

It would be nice if Transfer Service natively supported this. Without "GetObject" sftp users cannot list (despite having ListBucket), which we need.

Aaron Dodd
已回答 2 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容