3 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
Firstly, please edit your question to remove the bucket name (obfuscate it and call it something like mybucket instead).
Looking at the actions in the policy and cross-referencing with to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-actions-as-permissions
"Action": [ "s3:ListBucket"
grants permission to list some or all of the objects in an Amazon S3 bucket (which is what you want for the LIST)"Action": [ "s3:PutObject"
grants permission to add an object to a bucket (which I think you may also want for WRITE)"Action": [ "s3:GetObject"
grants permission to retrieve objects from Amazon S3 (which you don't want for GET)
Consider amending the policy to remove the GetObject permission.
0
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
respondido hace 8 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 3 años
if I remove "Action": [ "s3:GetObject" , in that case SFTP user of Transfer Family, Cannot connect with directory.
OK, it's actually more nuanced than that, the policy still need to maintain GetObject for prefixes (so, essentially, you can list the contents of folders), but not for objects (by which we mean files). See https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html#write-only-access
This is exactly what you want isn't it? The policy fragment at the foot of that page is what you need, in particular the DenyIfNotFolder part.