Example scope-down policy - AWS Transfer Family

Example scope-down policy

In AWS Transfer Family, a scope-down policy is supported only when you are transferring to or from Amazon S3.

The following example policy is a scope-down policy that limits users' access to their home directories only.


For the scope-down policy to lock users to their home directory, make sure that the path you assign for their home directory contains the username value. For example, if username is set to "bob", then the home directory needs to contain "bob".

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "Optional_path/${transfer:HomeFolder}/*", "Optional_path/${transfer:HomeFolder}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] }