amazon-s3aws-sftpaws-policies

Different between transfer:HomeFolder and transfer:HomeDirectory in AWS policies


When creating a scope-down policy for users in an AWS Transfer SFTP server, one can use the policy variables ${transfer:HomeFolder} and ${transfer:HomeDirectory} in that policy, according to the documentation. However, I couldn't find any description of what the difference between the two is. Can someone explain, or link to relevant documentation?


Solution

  • The difference is kind of implied by the example on that page.

    ${transfer:HomeFolder} is just the key prefix (e.g., /my-folder/sub-folder), while ${transfer:HomeDirectory} also contains the bucket name (e.g., /my-bucket/my-folder/sub-folder).

    AWS Transfer for SFTP recently added support for Logical Home Directories, which you can use to provide a "chroot-like" behavior and lock down your users access to a designated home folder. So if all you're trying to do is restrict a user to a single S3 folder, edit the user's profile in the AWS Transfer console and click the "Restricted" check box. Then you don't have to mess with scopedown policies at all.

    If you’re using Custom IDP, follow this blog for a similar set up:

    https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/