3 回答
- 最新
- 投票最多
- 评论最多
0
Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).
Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
"Action": [ "s3:ListBucket"grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)"Action": [ "s3:PutObject"grants permission to add an object to a bucket (which I think you may also want for WRITE)"Action": [ "s3:GetObject"grants permission to retrieve objects from Amazon S3 (which you don't want for GET)
Consider amending the policy to remove the GetObject permission.
0
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
已回答 7 个月前
相关内容
AWS 官方已更新 6 个月前- AWS 官方已更新 3 年前
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access
This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.