Example scope-down policy

In AWS Transfer Family, a scope-down policy is supported only when you are transferring to or from Amazon S3.

The following example policy is a scope-down policy that limits users' access to their home directories only.

Note

For the scope-down policy to lock users to their home directory, make sure that the path you assign for their home directory contains the username value. For example, if username is set to "bob", then the home directory needs to contain "bob".


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${transfer:HomeBucket}"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Optional_path/${transfer:HomeFolder}/*",
                        "Optional_path/${transfer:HomeFolder}"
                    ]
                }
            }
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Example read/write access policy

Getting started tutorial