AWS SFTP Transfer Family - Session policies - amazon-s3

I have setup a AWS SFTP server with custom api gateway identity provider. The user is created as SFTP/username in secrets manager with following key, value pairs -
Password: <passwordvalue>
Role: <roleARN> // roleARN policy is as follows
HomeDirectory: /<s3bucketname>/<username>
The roleARN's policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketContents",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListBucketVersions",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3bucketname>"
},
{
"Sid": "AllUserReadAccessInUserFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/*"
]
},
{
"Sid": "AllUserFullAccessForToFolders",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/*"
]
},
{
"Sid": "AllUserReadAccessForFromFolders",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/From/*"
]
},
{
"Sid": "DenyUserFromDeletingStandardFolders",
"Action": [
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::<s3bucketname>/<username>/To/",
"arn:aws:s3:::<s3bucketname>/<username>/From/"
]
}
]
}
With the current policy I have correct permissions for a specific user and the permissions/access is working as expected, but the problem is the hardcoded user in the policy.
I now have to create one more user for SFTP in secrets manager and was expecting to use the same IAM role what I have used for first user. I found that this can be achieved using session policies (https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html) that I can use same role/policy for multiple sftp users in secrets manager.
But I am having hard time getting it to work.
When I am replacing in the policy - the s3bucketname with ${transfer:HomeBucket}
and related values as mentioned in the session policies link above - I was expecting it to work, but I kept running into access denied issues when trying to list the s3 bucket contents via SFTP client.
Can someone help me understand what am I missing here, any help greatly appreciated.

Got to know that I need to use HomeDirectoryDetails instead of HomeDirectory the logical directory - https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/
Thanks.

Related

How to restrict the S3 buckets listing in the Visual Studio AWS explorer

I am setting up the AWS toolkit in the Visual Studio. I have created an IAM user which will be used for development.
But for the IAM user I have configured I am seeing that it cannot see the S3 buckets in the explorer. It gives "Access denied".
This is the custom role assigned to the IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListing",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::dev-buckets"
},
{
"Sid": "AllowReadWriteDel",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::dev-buckets/*"
}
]
}
The only way I can get it working is by adding "AmazonS3FullAccess" policy to the IAM user. But then it exposes all the buckets in the account. Not just the buckets meant for the developers.
Is it possible to do using a custom policy? I am a beginner.
You cannot only list specific bucket when trying to list buckets.
I think the following policy should help you out:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::dev-buckets",
"arn:aws:s3:::dev-buckets/*"
]
}
]
}

AWS restrict access to subfolder in s3

I am trying to restrict an IAM role to only be able to access a specific subfolder (key prefix) in an S3 bucket. Here's the policy JSON I'm using, but currently the user can still access other folders in the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::somebucket",
"arn:aws:s3:::somebucket/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:ListBucketVersions",
"s3:ListBucketByTags",
"s3:GetBucketAcl"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::mybucket/datasets/company1/*"
]
}
]
}
Currently, using this role I can still do, e.g.
aws s3 cp s3://mybucket/datasets/company2/dataset.csv
and download the dataset. What am I doing wrong?
When I try and simulate the policy it seems to be correct (trying to getObject on mybucket/datasets/company2/dataset.csv fails implicitly, but this does not happen in practice. There are no other policies attached to this user.

s3cmd reporting Access Denied on user of account but not when using main account

We have two AWS accounts. We are using s3cmd to backup data from one s3 bucket to another.
The issue we have run into is this: The source bucket is public, and can be accessed by anybody without credentials. When we initiate the backup with s3cmd using one of the two master key pairs from the s3 bucket where want to put the backup files on it works flawlessly.
However, when we try to perform this same operation - this time using a user's key pair rather than the account's key pair (on the account where we are backing up the files to) we are given an access denied error.
Here is the command we run:
s3cmd -c /root/.s3cfgBackup sync s3://oldbucket/news/ s3://newbucket/Videos/
Here is the policy on the user that gets access denied
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::newbucket",
"arn:aws:s3:::newbucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
Can anyone help me resolve this access denied issue? It would be greatly appreciated.
I would try changing the policy on that user this way:
{
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::newbucket",
"arn:aws:s3:::newbucket/*"
]
}
],
"Statement": [
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::oldbucket",
"arn:aws:s3:::oldbucket/*"
]
}
],
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}

Necessary s3cmd S3 permissions for PUT/Sync

In moving to AWS EC2, I want to restrict my instances' user permissions for good reason. One thing the instances need to do is access files on S3 and write files there. However, I cannot find any way to achieve this without giving all permissions to that user.
s3cmd allows me to call "ls" and "du" on the s3 buckets I gave the policy permission to, but always fails with a 403 error when trying to PUT/sync with one of these folders. If I use my root credentials, the transfer goes right through.
So, I don't get why if I give all permissions to the user for said buckets, it cannot PUT, but if I give it arn:aws:s3:::* (all buckets) then it can. Makes no sense to me.
Anyone else ever dealt with this before?
Try something like this. I think the problem is that you need s3:ListAllMyBuckets and s3:ListBuckets for the s3cmd to work. Not sure why but it wont work unless it can get a list of the buckets. I had the same problem the first time i tried to use permissions with s3cmd and this was the solution.
{
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket/path",
"arn:aws:s3:::bucket/path/*"
]
}
]
}
Edit I've added the s3:PutObjectAcl action which is required for newer versions of s3cmd as stated by Will Jessop below.
bwight's answer is almost right (it probably used to be for older versions of s3cmd), but I need to add a s3:PutObjectAcl to get it to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt123456",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt123457",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
I was trying to do big file uploads and the policy wasn't working well for me, I ended adding the next policy to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1397834652000",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "Stmt1397834745000",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:PutObject",
"s3:GetObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
where my_bucket is the bucket where I need to manage files though s3cmd
In case you are giving access to a subfolder (as in the original answer of /bucket-name/path/) and not the entire bucket, the ListBucket action requires a bit more specificity:
{
"Sid": "AllowListingOfFilesInFolder",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"path/*"
]
}
}
}
I believe it works also with the original answer in case you provide access to the entire bucket.

Granular policy document permissions in AWS

I want to be able to allow users created through IAM to be able to view one specific bucket in the management console. Furthermore, I want to restrict it to a folder within the bucket, such that the permissions would be:
S3 Console access for my-bucket/folder/*
How would I do this using the policy generator? I currently have:
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
However, when I modify the Resource location -- arn:aws:s3:::my-bucket/folder -- it prevents the user from being able to use the console at all. Is this possible to do and what do I need to do to be able to fix this?
The policy for this reminded me of doing an Euler apporximation, but this is how I did it (with comments to explain):
{
"Statement": [
{ // first, allow unlimited access for S3
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{ // second, deny access to all buckets except for the particular bucket
"Action": [
"s3:*"
],
"Effect": "Deny",
"Resource": [
list-of-my-other-buckets
]
},
{ // third, since we've already given * permissions, the bucket has full
// permissions, and we need to restrcit all the permissions we don't want to give
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutBucketAcl",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}