使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS File Transfer IAM Role Access.

0

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement:

  1. User must be authenticated via third part identity provider which in Azure Authentication in our case.
  2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2
  3. User should be restricted to put files in either folder1 or folder2, not in their home directory.
  4. User should be able download the files only if specific tag is set on object/files in S3

So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket.

Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "yes"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Allow",
            "Sid": "DownloadAllowed"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/allowdownload": "no"
                }
            },
            "Resource": [
                "arn:aws:s3:::s3-bucket/*"
            ],
            "Effect": "Deny",
            "Sid": "DownloadNotAllowed"
        },
        {
            "Sid": "DenyMkdir",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::s3-bucket/*/*/"
        }
    ]
}

Within lambda where user authentication happens, I am returning user's homedirectory

HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}]

also tried below but no luck

HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}]

User gets permission denied error when try to do "ls" in their home directory

sftp> ls
Couldn't read directory: Permission denied
主題
無伺服器運算遷移與現代化安全性、身分識別與合規
標籤
AWS LambdaAWS Transfer for SFTPAWS Transfer FamilyIAM 政策
語言
English
snowcoder_07
已提問 1 年前檢視次數 288 次
1 個回答
0

Hello,

If you try to remove the condition "s3:ExistingObjectTag/allowdownload" from the "s3:GetObject" permission, are you still getting the "Permission Denied" error when listing?

AWS
AWS-AdrianZ
已回答 1 年前
  • snowcoder_07
    1 年前

    Hi @Aws-Adrian

    Thanks for reply and apologies for late reply. I have question, if I remove condition, then any object would be downloadable whereas I want only specific tagged objects available to download.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容