Example scope-down policy - AWS Transfer Family

Example scope-down policy

The following example policy is a scope-down policy that limits users' access to their home directories only.


For the scope-down policy to lock users to their home directory, make sure that the path you assign for their home directory contains the username value. For example, if username is set to "bob", then the home directory needs to contain "bob".

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "Optional_path/${transfer:HomeFolder}/*", "Optional_path/${transfer:HomeFolder}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] }