AWS Transfer for SFTP
User Guide

Creating an Access Policy for an Amazon S3 Bucket

Following, you can see how to create an IAM policy that allows read and write access to a specific Amazon S3 bucket. Assigning an IAM role that has this IAM policy to your SFTP user gives that user read/write access to the specified S3 bucket.

The following policy provides programmatic read and write access to an Amazon S3 bucket.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": ["arn:aws:s3:::bucketname"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::bucketname/*"] } ] }

The ListBucket action requires permission to the bucket itself. The PUT, GET, and DELETE actions require object permissions. Because these are different entities, they are specified using different Amazon Resource Names (ARNs).

If your bucket is enabled for AWS Key Management Service (AWS KMS) encryption, you need to enable additional actions in the policy. For more information about AWS KMS, see What is AWS Key Management Service?

To further scope down your users' access to only the home directory of the specified S3 bucket, see Creating a Scope-Down Policy.