1

Continuing How to restrict user access in AWS Transfer? ...

I want a multi-user SFTP system running out of a single bucket with directory structure of:

/my-bucket/user/user     - user can: list 
                    /in/ - user can: list get put
                    /out/ - user can: list get

I have an S3 bucket where I create the folder for the user and the in/ out/ subdirs.

My problem now is that I can only make my policies work correctly for the first user I created. The rest end up with permissions problems, unless I remove the down scoping policy, in which case they have too many privileges.

My bucket is a default S3 with no configuration. It is not public at all.

My base role policy is this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

My downs scope policy is:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:HomeFolder}/*",
                        "${transfer:HomeFolder}"
                    ]
                }
            }
        },
        {
            "Sid": "InDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/in/*"
        },
             {
            "Sid": "OutDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion",
                "s3:GetObjectACL"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/out/*"
        }
    ]
}

The logs aren't helping much with this unfortunately. They're just saying "Permission Denied."

Improve this question
5
  • 1
    I wonder if you need just need to add another "Condition": { "StringLike": { "s3:prefix": [ "${transfer:HomeFolder}/in", "${transfer:HomeFolder}/in/*" and then turn around and do the same thing for the "out". I'm not 100% certain the 'Home' named variables or the 'prefix' part for this is correct in this comment example either but, maybe add a conditional for the sub directories you are also restricting per explicit permission allow rules Let me know what you think or if that give you another idea.
    – Vomit IT - Chunky Mess Style
    Commented Oct 29, 2020 at 21:37
  • But could that cause the erratic behavior? Sometimes it works and sometimes it doesn't. Is Transfer stable?
    – joel3000
    Commented Oct 30, 2020 at 3:05
  • Can you tell me the username of one of the ones where it does not work? Can you tell me the name of that user accounts home directory? Can you also tell me this for the first one you created both the username and the home directory folder name for that user?
    – Vomit IT - Chunky Mess Style
    Commented Oct 30, 2020 at 3:11
  • It works intermittently. Homefolder was /my-bucket/joel/ and /my-bucket/eric/.
    – joel3000
    Commented Oct 30, 2020 at 3:16
  • First one created was 'joel' account.
    – joel3000
    Commented Oct 30, 2020 at 3:51

0

Reset to default

You must log in to answer this question.