Getting access denied error for SFTP user

Question

I am getting access denied for user when WINSCP tries to list the directory structure, "Error listing directory '/.'"  
  
I have the following policy for user   
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "AllowListingOfUserFolder",  
            "Action": \[  
                "s3:ListBucket",  
                "s3:GetBucketLocation"  
            ],  
            "Effect": "Allow",  
            "Resource": \[  
                "arn:aws:s3:::BUCKET234"  
            ]  
        },  
        {  
            "Sid": "HomeDirObjectAccess",  
            "Effect": "Allow",  
            "Action": \[  
                "s3:PutObject",  
                "s3:GetObject",  
                "s3:DeleteObjectVersion",  
                "s3:DeleteObject",  
                "s3:GetObjectVersion"  
            ],  
            "Resource": "arn:aws:s3:::BUCKET234/*"  
        }  
    ]  
}  
  
This is the trust relationship  
{  
  "Version": "2012-10-17",  
  "Statement": \[  
    {  
      "Sid": "",  
      "Effect": "Allow",  
      "Principal": {  
        "Service": "transfer.amazonaws.com"  
      },  
      "Action": "sts:AssumeRole"  
    }  
  ]  
}  
  
There is no scope down policy, what am i missing ?

Answer

Hello avijaws,  
  
Based on the error provided it looks like WinSCP is trying to list root "/" and it is failing. If you are not using the restricted option (logical directories) for your User and you try to list the root "/" the operation will give an Access Denied if you do not have permissions to list all the buckets (s3:ListAllMyBuckets).   
  
On WinSCP under Advanced Site Settings of your Session -> Environment -> Directories you can Uncheck the option "Remember last used directory" and also clear the "Remote directory" field so it wont connect to "/".   
  
Another option is to use logical directories or the Restricted option if you are using the AWS Transfer Console. Find your User, edit the configuration, select the bucket and optionally the home directory and click the restricted option. By doing that the user will be restricted (chroot) to his home folder and when WinSCP tries to list the root "/" the content of the home directory will be listed since the root will be mapped to the /bucket/folder.  
  
I hope the above information is helpful. Please feel free to write back if you still have issues.  
  
Kind regards,  
Panagiotis

Getting access denied error for SFTP user

相關內容