I'm trying to setup AWS Transfer to host multiple user accounts like:
/my-bucket/<username>
I've defined a base role and a down-scoping role but it's not working to restrict access to only the user's personal home directory and the users are still able to move about in the bucket.
I need to prevent users from being able to see other user's home directory data. I read something about doing a chroot
, but I'm using Transfer users and not even sure that's applicable in my case.
I'm hoping someone here can help me get this figured out or tell me what I'm doing wrong to get it fixed the way I need it to work. Below are the role configurations I've defined.
I have a base role of:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
And a downscoping role of
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListHomeDir",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::${transfer:HomeBucket}/${transfer:UserName}"
},
{
"Sid": "AWSTransferRequirements",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}