How to Write a Session Policy for Transfer Family Users When Using a Logical Directory

0

I want to use Transfer Family's logical directory to connect two S3 buckets, test-transferfamily-demo and sftp-demo2. I created a user using AWS CLI with the command below:

aws transfer create-user --user-name user1 --server-id s-xxxxxxxxxxdb --role arn:aws:iam::xxxxxxxxxxx:role/iam-role --home-directory-type LOGICAL `
--home-directory-mappings '[{\"Entry\":\"/bucket1\", \"Target\":\"/test-transferfamily-demo/user1\"}, {\"Entry\":\"/bucket2\", \"Target\":\"/sftp-demo2/user1\"}]' `
--ssh-public-key-body (Get-Content -Raw id_rsa.pub)

Regarding the structure of each S3 bucket, each user has their own named folder(For example, user1 should only be able to access the user1 folder under each S3 bucket.), and I want to use a session policy to ensure that every user can only access their own folder. Therefore, I created a session policy like the one below:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": [
				"arn:aws:s3:::test-transferfamily-demo",
				"arn:aws:s3:::sftp-demo2"
			],
			"Condition": {
				"StringLike": {
					"s3:prefix": [
						"${transfer:UserName}/*",
						"test-transferfamily-demo/${transfer:UserName}/*",
						"sftp-demo2/${transfer:UserName}/*"
					]
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:DeleteObject"
			],
			"Resource": [
				"arn:aws:s3:::test-transferfamily-demo/${transfer:UserName}/*",
				"arn:aws:s3:::sftp-demo2/${transfer:UserName}/*"
			]
		}
	]
}

When I log in to the SFTP server, it tells me that I do not have access permission for /bucket1 and /bucket2. Please provide information on how to write the correct session policy for this situation.

1 Answer
0

For the s3:ListBucket action, I think you also need to permit the prefix without the trailing /. I suggest you try including both the /* form that you have now, and also the same without /* at the end to allow the folder name without a trailing slash:

{
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": [
        "arn:aws:s3:::test-transferfamily-demo",
        "arn:aws:s3:::sftp-demo2"
    ],
    "Condition": {
        "StringLike": {
            "s3:prefix": [
                "${transfer:UserName}",
                "${transfer:UserName}/*",
            ]
        }
    }
}
EXPERT
Leo K
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions