amazon-s3amazon-iamaws-iam-policyaws-transfer-familyaws-sftp

AWS SFTP Transfer Family - Session policies

I have setup a AWS SFTP server with custom api gateway identity provider. The user is created as SFTP/username in secrets manager with following key, value pairs -

Password:        <passwordvalue>
Role:            <roleARN> // roleARN policy is as follows
HomeDirectory:   /<s3bucketname>/<username>

The roleARN's policy is as follows:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowUserToSeeBucketContents",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:ListAllMyBuckets",
            "s3:ListBucketVersions",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::<s3bucketname>"
    },
    {
        "Sid": "AllUserReadAccessInUserFolder",
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::<s3bucketname>/<username>/*"
        ]
    },
    {
        "Sid": "AllUserFullAccessForToFolders",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ],
        "Resource": [
            "arn:aws:s3:::<s3bucketname>/<username>/To/*"
        ]
    },
    {
        "Sid": "AllUserReadAccessForFromFolders",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::<s3bucketname>/<username>/From/*"
        ]
    },
    {
        "Sid": "DenyUserFromDeletingStandardFolders",
        "Action": [
            "s3:DeleteObject"
        ],
        "Effect": "Deny",
        "Resource": [
            "arn:aws:s3:::<s3bucketname>/<username>/To/",
            "arn:aws:s3:::<s3bucketname>/<username>/From/"
        ]
    }
]
}

With the current policy I have correct permissions for a specific user and the permissions/access is working as expected, but the problem is the hardcoded user in the policy.

I now have to create one more user for SFTP in secrets manager and was expecting to use the same IAM role what I have used for first user. I found that this can be achieved using session policies (https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html) that I can use same role/policy for multiple sftp users in secrets manager. But I am having hard time getting it to work.

When I am replacing in the policy - the s3bucketname with ${transfer:HomeBucket} and related values as mentioned in the session policies link above - I was expecting it to work, but I kept running into access denied issues when trying to list the s3 bucket contents via SFTP client.

Can someone help me understand what am I missing here, any help greatly appreciated.

Solution

  • Got to know that I need to use HomeDirectoryDetails instead of HomeDirectory the logical directory - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/

    Thanks.