AWS Transfer for SFTP write only bucket access?

Question

Is it possible to give an SFTP user a write only access to a bucket?

  - Sid: AllowListingOfUserFolder
    Action:
      - s3:ListBucket
    Effect: Allow
    Resource: 
      - arn:aws:s3:::mybucket

  - Sid: HomeDirObjectAccess
    Action: 
      - s3:PutObject*
    Effect: Allow
    Resource: arn:aws:s3:::mybucket/*

I have this policy on my SFTP users role right now and it allows me to both see the contents of the bucket and put new files. But when I remove AllowListingOfUserFolder (s3:ListBucket) I cannot put files anymore.

What I need is a write-only bucket policy for the SFTP user I got. Am I missing anything or is actually impossible?

Are you referring to the "AWS Transfer for SFTP" managed service, or your own STFP server on an Amazon EC2 instance? — John Rotenstein, Aug 30 '20 at 23:50

score 1 · Accepted Answer · answered Feb 11 '21 at 01:11

You aren't missing anything. In order to put an object/file to s3 bucket via transfer server you need give list bucket access to user then only user can put object to your s3 directory.

However you can attach the following policy to user to allow specific Amazon S3 put permissions on the folder level(ex. mybucket/in/*).

Example:-
  - Sid: AllowListingOfUserFolder
    Action:
      - s3:ListBucket
    Effect: Allow
    Resource: 
      - arn:aws:s3:::mybucket

  - Sid: HomeDirObjectAccess
    Action: 
      - s3:PutObject*
    Effect: Allow
    Resource: arn:aws:s3:::mybucket/in/*

score 0 · Answer 2 · answered Jun 13 '21 at 16:25

Using Transfer logical directories you can hide/rename buckets and folder names and even restrict users to very specific paths. If you combine those with S3 permissions outlined in your post, you can limit clients exactly how you want.

For example, you cannot remove the bucket name using just a policy, but you can rename it with logical directories.

Example: [{"Entry": "/client-visible-landing-directory", "Target": "/my bucket/writeonlyfolder"}]

So when a client logged in they would and performed ‘ls /‘ the client would see a folder named client-visible-landing-directory, but interacting with that directory would actually interact with S3 uri my bucket/writeonlyfolder, except the client never sees any actual S3 folder names.

You can target any number of folders. Combining that with a S3 policy that only allows PutObject to that folder would create a write only Transfer user. You can have many of these logical mappings, there

You can see more details and examples in the Logical directories blog post: https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/

Have you seen the policy I provided in the question? That does what you are suggesting, and it doesn't work. What @pooja says is the right answer here. — Tolga Evcimen, Jun 14 '21 at 17:16
Hmm, not sure I follow. @pooja has a the minimal permissions for S3 and using a folder to write. However, in that scenario the client can still see the bucket name. My comment points out that if you use his policy AND Transfer logical directory mappings, you can also hide the bucket and folder name. So clients can put a file in / and it shows up in my s3://bucket/in. — Justin Schoeff, Jun 18 '21 at 13:23

AWS Transfer for SFTP write only bucket access?

2 Answers2