How to create an S3 policy that allows a user to only connect and upload files?

0

I want my manager to be able to connect and upload to our S3 bucket via an FTP client. (but can't DELETE anything) So, I created a manager user group and policy, then assigned it. However, I get an error when I try to connect.

How can I write the S3 policy so the user can only connect and write but not delete any files?

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3AccessForFTP", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::image.k-sale.com", "arn:aws:s3:::image.k-sale.com/*" ] } ] }

질문됨 7달 전368회 조회
2개 답변
1

Hello.

First, I don't think it's possible to connect to S3 directly via SFTP or similar.
I think you need to set up Transfer Family to access S3 with SFTP.
https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html

If you use WinSCP etc., you can connect like SFTP. (Actually, WinSCP handles access using AWS API rather than SFTP)
https://winscp.net/eng/docs/guide_amazon_s3

Looking at the bucket policy, it doesn't include "Deleteobject", so I think the policy does not allow you to delete objects.
Therefore, I think that the problem with not being able to connect is not the bucket policy, but the IAM user's IAM policy or connection method.

profile picture
전문가
답변함 7달 전
profile picture
전문가
검토됨 7달 전
0

I believe that's the identity-based policy attached to the IAM user group that you described. You will need to separate the action s3:ListAllMyBuckets into its own policy statement with "Resource": "*" as its target. That permission doesn't apply to any individual bucket but rather allows the user to obtain a list of all the S3 buckets in the local account. Currently, you're restricting the permission to the individual bucket, which will never get hit.

As Riku Kobayashi pointed out, your policy already doesn't include the s3:DeleteObject, s3:DeleteObjectVersion, or s3:PutLifecycleConfiguration permissions, so the user won't be able to delete anything in the bucket, unless the bucket policy (which can add to the permissions assigned here) grants that right.

전문가
답변함 7달 전
profile picture
전문가
검토됨 7달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠