AWS Transfer Family IAM角色配置
Use an IAM policy to control access to AWS Transfer Family
参考:https://docs.aws.amazon.com/transfer/latest/userguide/users.html
参考:https://docs.aws.amazon.com/transfer/latest/userguide/users-policies.html
针对
Service managed(Create and manage users within the service)方式
Allowing read and write access to an Amazon S3 bucket
Following, you can see how to create an IAM policy that allows read and write access to a specific Amazon S3 bucket. Assigning an IAM role that has this IAM policy to your user gives that user read/write access to the specified Amazon S3 bucket.
The following policy provides programmatic read and write access to an Amazon S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": ["arn:aws:s3:::bucketname"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": ["arn:aws:s3:::bucketname/*"]
}
]
}The ListBucket action requires permission to the bucket itself. The PUT, GET, and DELETE actions require object permissions. Because these are different entities, they are specified using different Amazon Resource Names (ARNs).
If your bucket is enabled for AWS Key Management Service (AWS KMS) encryption, you need to enable additional actions in the policy. For more information about AWS KMS, see What is AWS Key Management Service?
To further scope down your users' access to only the home directory of the specified Amazon S3 bucket, see Create a scope-down policy.
Create a scope-down policy
A scope-down policy is an AWS Identity and Access Management (IAM) policy that restricts users to certain portions of an Amazon S3 bucket. It does so by evaluating access in real time.
You can use a scope-down policy when you need to give the same access to a group of users to a particular portion of your Amazon S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.
To create a scope-down policy, use the following policy variables in your IAM policy:
${transfer:HomeBucket}${transfer:HomeDirectory}${transfer:HomeFolder}${transfer:UserName}
Note: You can't use the variables listed preceding as policy variables in an IAM role definition. You create these variables in an IAM policy and supply them directly when setting up your user. Also, you can't use the ${aws:Username}variable in this scope-down policy. This variable refers to an IAM user name and not the user name required by AWS Transfer Family.
An example of a scope-down policy is shown in the code example following.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}With the preceding policy in place, when a user logs in, they can access only objects in their home directory. At connection time, AWS Transfer Family replaces these variables with the appropriate values for the user. Doing this makes it easier to apply the same policy documents to multiple users. This approach reduces the overhead of IAM role and policy management for managing your users' access to your Amazon S3 bucket.
You can also use a scope-down policy to customize access for each of your users based on your business requirements. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
Note: AWS Transfer Family stores the policy JSON, instead of the Amazon Resource Name (ARN) of the policy. So when you change the policy in the IAM console, you need to return to AWS Transfer Family console and update your users with the latest policy contents. You can update the user under
Policy Infotab in theUser configurationsection. For more information, see Editing the user configuration.
Preventing users from creating a directory in an S3 bucket
You can prevent users from creating a directory in an Amazon S3 bucket. To do so, you create an IAM policy that allows the s3:PutObject action but also denies it when the key ends with a "/" (forward slash).
The following example policy allows users to upload files to an Amazon S3 bucket but doesn’t allow them to create a directory in the bucket. That is, it denies the mkdir command in the Amazon S3 bucket.
{
"Sid":"DenyMkdir",
"Action":[
"s3:PutObject"
],
"Effect":"Deny",
"Resource":"arn:aws:s3:::my-sftp-bucket/*/"
}API Gateway Lambda Functions IAM角色实践
针对
Custom(Provide an Amazon API Gateway URL)方式
Transfer操作S3添加管理员角色
(1)Create role
(2)选择Transfer服务
(3)Create policy
- Service: 选择
S3 - Actions: 选择
GetObject,GetObjectAcl,s3:PutObject,PutObjectAcl - Resources:
Specific, 如arn:aws:s3:::ok-cloud-sftp/* - Name:
TransferS3Admin
参考配置:
(4)刷新policy,Filter policies输入S3进行过滤,并选择刚刚创建的TransferS3Admin
(5)名称及描述
- Role name:
role-sftp-admin - Role description: Allow AWS Transfer to call AWS S3
Transfer操作S3添加开发环境子路径管理角色
(1)添加策略:TransferS3ReconcileDev
(2)添加角色:role-sftp-reconcile-dev
选择服务:Transfer
配置策略:TransferS3ReconcileDev
Transfer操作S3添加测试环境子路径管理角色
(1)添加策略:TransferS3ReconcileTest
(2)添加角色:role-sftp-reconcile-test
选择服务:Transfer
配置策略:TransferS3ReconcileTest
Transfer操作S3添加测沙箱境子路径管理角色
(1)添加策略:TransferS3ReconcileSandbox
(2)添加角色:role-sftp-reconcile-sandbox
选择服务:Transfer
配置策略:TransferS3ReconcileSandbox
Transfer操作S3添加生产环境子路径管理角色
(1)添加策略:TransferS3ReconcileProd
(2)添加角色:role-sftp-reconcile-prod
选择服务:Transfer
配置策略:TransferS3ReconcileProd
版权声明:
作者:Joe.Ye
链接:https://www.appblog.cn/index.php/2023/03/27/aws-transfer-family-iam-role-configuration/
来源:APP全栈技术分享
文章版权归作者所有,未经允许请勿转载。
共有 0 条评论