Example scope-down policy
In AWS Transfer Family, a scope-down policy is supported only when you are transferring to or from Amazon S3.
The following example policy is a scope-down policy that limits users' access
to their home
directories only.
For the scope-down policy to lock users to their home
directory,
make sure that the path you assign for their home
directory
contains the username
value. For example, if username
is set to "bob"
, then the home
directory
needs to contain "bob"
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "
Optional_path/
${transfer:HomeFolder}/*", "Optional_path/
${transfer:HomeFolder}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] }