DEVHIDE
Login Or Sign up

AWS Transfer for SFTP write only bucket access?

1.3k Views Asked by At

Is it possible to give an SFTP user a write only access to a bucket?

  - Sid: AllowListingOfUserFolder
    Action:
      - s3:ListBucket
    Effect: Allow
    Resource: 
      - arn:aws:s3:::mybucket

  - Sid: HomeDirObjectAccess
    Action: 
      - s3:PutObject*
    Effect: Allow
    Resource: arn:aws:s3:::mybucket/*

I have this policy on my SFTP users role right now and it allows me to both see the contents of the bucket and put new files. But when I remove AllowListingOfUserFolder (s3:ListBucket) I cannot put files anymore.

What I need is a write-only bucket policy for the SFTP user I got. Am I missing anything or is actually impossible?

amazon-web-services amazon-s3 amazon-iam writeonly aws-sftp
Original Q&A
2

There are 2 best solutions below

0
On BEST ANSWER

You aren't missing anything. In order to put an object/file to s3 bucket via transfer server you need give list bucket access to user then only user can put object to your s3 directory.

However you can attach the following policy to user to allow specific Amazon S3 put permissions on the folder level(ex. mybucket/in/*).

Example:-
  - Sid: AllowListingOfUserFolder
    Action:
      - s3:ListBucket
    Effect: Allow
    Resource: 
      - arn:aws:s3:::mybucket

  - Sid: HomeDirObjectAccess
    Action: 
      - s3:PutObject*
    Effect: Allow
    Resource: arn:aws:s3:::mybucket/in/*
2
On

Using Transfer logical directories you can hide/rename buckets and folder names and even restrict users to very specific paths. If you combine those with S3 permissions outlined in your post, you can limit clients exactly how you want.

For example, you cannot remove the bucket name using just a policy, but you can rename it with logical directories.

Example: [{"Entry": "/client-visible-landing-directory", "Target": "/my bucket/writeonlyfolder"}]

So when a client logged in they would and performed ‘ls /‘ the client would see a folder named client-visible-landing-directory, but interacting with that directory would actually interact with S3 uri my bucket/writeonlyfolder, except the client never sees any actual S3 folder names.

You can target any number of folders. Combining that with a S3 policy that only allows PutObject to that folder would create a write only Transfer user. You can have many of these logical mappings, there

You can see more details and examples in the Logical directories blog post: https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-IAM

Related Questions in WRITEONLY

Related Questions in AWS-SFTP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.