Issue while configuring SFTP with AWS Transfer Family

Cloud AWS
#1

Hi Everyone,

I’m trying to implement one use case as explained below.

  1. Expose SFTP to clients for sharing their files. They should get UserName and Password along with Key so that they have both the ways for authentication.

  2. There should directory structure as below and each user should have read/write access accordingly.

SFTPBase/User1
                   -InBound
                          -Reports (Read and Write for User1)
                          -RawData (Read and Write for User1)
                   -OutBound
                          -Reports (Read Only for User1)
SFTPBase/User2
                   -InBound
                          -Reports (Read and Write for User2)
                          -RawData (Read and Write for User2)
                   -OutBound
                          -Reports (Read Only for User2)

  1. In addition to client users there must be one admin user who should have full access for all the file and folders under SFTPBase location.

  2. User1 and User2 etc. must land in their own folders and cannot navigate outside.

I’ve created below resource for this purpose but while uploading files from WinSCP using User1 and User2 I’m facing issue and it is not allowing me to upload files.

--SFTP-User-Role (Policy)
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowListingOfUserFolder",
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:GetBucketLocation"
			],
			"Resource": "arn:aws:s3:::mybucket"
		},
		{
			"Sid": "HomeDirObjectAccess",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObjectAcl",
				"s3:GetObject",
				"s3:PutObjectRetention",
				"s3:DeleteObjectVersion",
				"s3:GetObjectAttributes",
				"s3:PutObjectLegalHold",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::mybucket/sftpbase/${transfer:UserName}/*"
		}
	]
}

Created User1 and User2 SFTP users from Console.

aws transfer update-user --user-name User1 --server-id s-3e2b898988a1244ad8 --role arn:aws:iam::324523525324:role/SFTP-User-Role --home-directory-type LOGICAL --home-directory-mappings "[{\"Entry\":\"/${transfer:UserName}\", \"Target\":\"/mybucket/sftpbase/${transfer:UserName}\"}]"


aws transfer update-user --user-name User2 --server-id s-3e2b898988a1244ad8 --role arn:aws:iam::324523525324:role/SFTP-User-Role --home-directory-type LOGICAL --home-directory-mappings "[{\"Entry\":\"/${transfer:UserName}\", \"Target\":\"/mybucket/sftpbase/${transfer:UserName}\"}]"

I’m able to connect from WinSCP using User1 and User2 but not able to upload files.

Please guide what is required to be done or what is that I’m doing incorrectly.

Regards,
Manoj

#2

Can someone please guide.