amazon-web-services - 连接到 AWS Transfer for SFTP

Question

我无法连接到 AWS Transfer for SFTP .我成功设置了服务器并尝试使用 WinSCP 进行连接。

我设置了一个具有如下信任关系的 IAM 角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我将此与范围缩小策略配对为 described in the documentation使用主目录 homebucket和主目录 homedir

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListHomeDir",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeBucket}"
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:PutObjectTagging",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

我能够使用 ssh key 进行身份验证，但是在实际读取/写入文件时，我只是不断收到不透明的错误，例如“查找 homedir 错误”和“readdir”失败。这一切听起来很像我的 IAM 政策问题，但我一直无法弄清楚。

Answer 1

我们在将范围缩小策略与 AWS Transfer 上的用户合作时遇到了类似的问题。对我们有用的解决方案是创建两种不同的策略。

附加到对整个存储桶具有一般权限的角色的策略。

适用于使用传输服务变量(如 {transfer:UserName})的用户的范围缩小策略.

我们得出的结论可能是 只有额外附加的策略才能解析传输服务变量 .我们不确定这是否正确以及这是否是最佳解决方案，因为这会在允许附加范围缩小策略以创建一种“管理员”用户时带来可能的风险。所以我很高兴得到输入以进一步锁定它。

以下是查看转移用户详细信息时在我的控制台中的外观:


以下是我们使用的两项政策:
附加到 IAM 角色的一般策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-s3-bucket"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3::: my-s3-bucket/*"
        }
    ]
}

适用于转移用户的范围缩小政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${transfer:UserName}/*",
                        "${transfer:UserName}"
                    ]
                }
            }
        },
        {
            "Sid": "AWSTransferRequirements",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": "*"
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}