Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Why does adding a policy to AWS Transfer with logical directories cause a permission denied?

I am stuck and not finding any documentation that helps with this. I setup logical directories for a user with the aws command line:

aws transfer --region us-east-1 update-user --user-name test1 
 --server-id "s-12345" 
 --home-directory-type LOGICAL --home-directory-mappings '[{"Entry":"/types/emptytype", "Target":"/bucket/somedir/empty_dir"},{"Entry":"/types/standardevent", "Target":"/bucket/somedir/users/${transfer:UserName}"}]'

This works well. I can log in see all the logical directories and upload/download files. I want to restrict the user to be able to upload/download but not be able to delete files, unless it is in a special directory called OUT.

I am generally finding that if I set any sort of policy (in above command line with –policy), no matter what it is, when I login to test, I can ls -l at the root, but can’t change to any other directories and see files. Why does this break? It seems like the documents say that policies can be mixed with logical directories, but all the examples are trivial and don’t have multiple subdirs like mine above.

EDIT:
Setting a stupid policy:

aws transfer --region us-east-1 update-user --user-name test1 
 --server-id "s-12345" 
 --policy '{"Version": "2012-10-17","Statement": {"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::amzn-s3-demo-bucket"}}' 
 --home-directory-type LOGICAL --home-directory-mappings '[{"Entry":"/types/emptytype", "Target":"/bucket/somedir/empty_dir"},{"Entry":"/types/standardevent", "Target":"/bucket/somedir/users/${transfer:UserName}"}]'

Breaks the SFTP:

sftp [email protected]
Connected to s-12345.server.transfer.us-east-1.amazonaws.com.
sftp> ls
types  
sftp> cd types
sftp> ls
Couldn't read directory: Permission denied

Removing the policy restores working order:

sftp [email protected]
Connected to s-12345.server.transfer.us-east-1.amazonaws.com.
sftp> ls
types  
sftp> cd types
sftp> ls
emptytype         standardevent
sftp> cd standardevent
sftp> ls
1.tsv
Tags:

2

Answers


  1. 0

    try using aws s3api to check the bucket policy.
    https://docs.aws.amazon.com/cli/latest/reference/s3api/ –> check the command for bucket policy here.
    I believe something is missing in there that is causing permission denied.

    Login or Signup to reply.
  2. 0

    I am running into the same issue, IAM policies that contain ${transfer:UserName} break but if i replace it with the actual username it works. Based on this question I don’t think IAM policies on the transfer user role support variable interpolation.

    It looks like the recommendation is to remove these policies and rely on LOGICAL directories to chroot the user to just their specific folder. We weren’t satisfied with that from a security perspective as we still wanted restrictive IAM policies on the user’s role.

    Instead, we had to create a policy per user that explicitly referenced their username without the interpolation variable. This ended up working!

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search