How to create an S3 policy that allows a user to only connect and upload files?

0

I want my manager to be able to connect and upload to our S3 bucket via an FTP client. (but can't DELETE anything) So, I created a manager user group and policy, then assigned it. However, I get an error when I try to connect.

How can I write the S3 policy so the user can only connect and write but not delete any files?

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3AccessForFTP", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::image.k-sale.com", "arn:aws:s3:::image.k-sale.com/*" ] } ] }

posta 7 mesi fa367 visualizzazioni
2 Risposte
1

Hello.

First, I don't think it's possible to connect to S3 directly via SFTP or similar.
I think you need to set up Transfer Family to access S3 with SFTP.
https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html

If you use WinSCP etc., you can connect like SFTP. (Actually, WinSCP handles access using AWS API rather than SFTP)
https://winscp.net/eng/docs/guide_amazon_s3

Looking at the bucket policy, it doesn't include "Deleteobject", so I think the policy does not allow you to delete objects.
Therefore, I think that the problem with not being able to connect is not the bucket policy, but the IAM user's IAM policy or connection method.

profile picture
ESPERTO
con risposta 7 mesi fa
profile picture
ESPERTO
verificato 7 mesi fa
0

I believe that's the identity-based policy attached to the IAM user group that you described. You will need to separate the action s3:ListAllMyBuckets into its own policy statement with "Resource": "*" as its target. That permission doesn't apply to any individual bucket but rather allows the user to obtain a list of all the S3 buckets in the local account. Currently, you're restricting the permission to the individual bucket, which will never get hit.

As Riku Kobayashi pointed out, your policy already doesn't include the s3:DeleteObject, s3:DeleteObjectVersion, or s3:PutLifecycleConfiguration permissions, so the user won't be able to delete anything in the bucket, unless the bucket policy (which can add to the permissions assigned here) grants that right.

ESPERTO
con risposta 7 mesi fa
profile picture
ESPERTO
verificato 7 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande