How to create an S3 policy that allows a user to only connect and upload files?

0

I want my manager to be able to connect and upload to our S3 bucket via an FTP client. (but can't DELETE anything) So, I created a manager user group and policy, then assigned it. However, I get an error when I try to connect.

How can I write the S3 policy so the user can only connect and write but not delete any files?

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3AccessForFTP", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:GetObjectAcl", "s3:PutObjectAcl", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::image.k-sale.com", "arn:aws:s3:::image.k-sale.com/*" ] } ] }

已提問 7 個月前檢視次數 372 次
2 個答案
1

Hello.

First, I don't think it's possible to connect to S3 directly via SFTP or similar.
I think you need to set up Transfer Family to access S3 with SFTP.
https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html

If you use WinSCP etc., you can connect like SFTP. (Actually, WinSCP handles access using AWS API rather than SFTP)
https://winscp.net/eng/docs/guide_amazon_s3

Looking at the bucket policy, it doesn't include "Deleteobject", so I think the policy does not allow you to delete objects.
Therefore, I think that the problem with not being able to connect is not the bucket policy, but the IAM user's IAM policy or connection method.

profile picture
專家
已回答 7 個月前
profile picture
專家
已審閱 7 個月前
0

I believe that's the identity-based policy attached to the IAM user group that you described. You will need to separate the action s3:ListAllMyBuckets into its own policy statement with "Resource": "*" as its target. That permission doesn't apply to any individual bucket but rather allows the user to obtain a list of all the S3 buckets in the local account. Currently, you're restricting the permission to the individual bucket, which will never get hit.

As Riku Kobayashi pointed out, your policy already doesn't include the s3:DeleteObject, s3:DeleteObjectVersion, or s3:PutLifecycleConfiguration permissions, so the user won't be able to delete anything in the bucket, unless the bucket policy (which can add to the permissions assigned here) grants that right.

專家
已回答 7 個月前
profile picture
專家
已審閱 7 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南