When using the AWS console to configure a Transfer Family User for an sFTP server, there is a 'Restricted' checkbox that prevents the user from moving out of their home directory.
I am trying to configure a user with the Python CDK (v2.61), but there is no 'restricted' parameter. I've read online that using a home_directory_mapping
in the following way when creating the user can achieve the same result:
home_directory_mappings=[
transfer.CfnUser.HomeDirectoryMapEntryProperty(
entry="/",
target="/<bucket_name>/<folder_name>"
)
]
Unfortunately this does not seem to work - I am still able to cd ..
and the 'Restricted' checkbox does not end up checked.
Does anyone know how to configure this option in CDK?
Since this is an L1 construct, it works exactly the same as in CloudFormation. Set the
HomeDirectoryType
toLOGICAL
in order to get the chroot jail effect.You must also ensure that the directory exists first, otherwise the mapping has no effect.
In many cases, you'll want the attached policy to also prohibit access outside of desired S3 directories, which will also prevent access via
cd ..
even if you don't configure the chroot jail ("restricted") access.