1

I'm trying to setup AWS Transfer to host multiple user accounts like:

/my-bucket/<username>

I've defined a base role and a down-scoping role but it's not working to restrict access to only the user's personal home directory and the users are still able to move about in the bucket.

I need to prevent users from being able to see other user's home directory data. I read something about doing a chroot, but I'm using Transfer users and not even sure that's applicable in my case.

I'm hoping someone here can help me get this figured out or tell me what I'm doing wrong to get it fixed the way I need it to work. Below are the role configurations I've defined.

I have a base role of:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::my-bucket"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

And a downscoping role of

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListHomeDir",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}/${transfer:UserName}"
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}
Improve this question
0

1 Answer 1

Reset to default
1

According to the AWS Create a scope-down policy documentation and their example provided, it seems you need to utilize and structure the configuration differently but similar to their example with "Sid": "AllowListingOfUserFolder" per that guidance.

I've quoted and referenced the specific parts of the post that should help you better determine how to structure the JSON configuration to get the desired result just as their example there provides.

Create a scope-down policy

A scope-down policy is an AWS Identity and Access Management (IAM) policy that restricts users to certain portions of an Amazon S3 bucket. It does so by evaluating access in real time.

You can use a scope-down policy when you need to give the same access to a group of users to a particular portion of your Amazon S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.

To create a scope-down policy, use the following policy variables in your IAM policy:

  • ${transfer:HomeBucket}

  • ${transfer:HomeDirectory}

  • ${transfer:HomeFolder}

  • ${transfer:UserName}

An example of a scope-down policy is shown in the code example following.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AllowListingOfUserFolder",
          "Action": [
              "s3:ListBucket"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::${transfer:HomeBucket}"
          ],
          "Condition": {
              "StringLike": {
                  "s3:prefix": [
                      "${transfer:HomeFolder}/*",
                      "${transfer:HomeFolder}"
                  ]
              }
          }
      },
      {
          "Sid": "HomeDirObjectAccess",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObjectVersion",
              "s3:DeleteObject",
              "s3:GetObjectVersion",
              "s3:GetObjectACL",
              "s3:PutObjectACL"
          ],
          "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
       }
  ]
}

source

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .