IAM policies for workflows - AWS Transfer Family

IAM policies for workflows

When you add a workflow to a server, you must select an execution role. The server uses this role when it executes the workflow. If the role does not have the proper permissions, AWS Transfer Family cannot run the workflow.

This section describes one possible set of AWS Identity and Access Management (IAM) permissions that you can use to execute a workflow. Other examples are described later in this topic.

Note

If your Amazon S3 files have tags, you need to add one or two permissions to your IAM policy.

  • Add s3:GetObjectTagging for an Amazon S3 file that isn't versioned.

  • Add s3:GetObjectVersionTagging for an Amazon S3 file that is versioned.

To create an execution role for your workflow
  1. Create a new IAM role, and add the AWS managed policy AWSTransferFullAccess to the role. For more information about creating a new IAM role, see Create an IAM role and policy.

  2. Create another policy with the following permissions, and attach it to your role. Replace each user input placeholder with your own information.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleAccess", "Effect": "Allow", "Action": "s3:GetBucketLocation", "Resource": "*" }, { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] }, { "Sid": "GetObjectVersion", "Effect": "Allow", "Action": "s3:GetObjectVersion", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] }, { "Sid": "Custom", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:region:account-id:function:function-name" ] }, { "Sid": "Tag", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
  3. Save this role and specify it as the execution role when you add a workflow to a server.

    Note

    When you're constructing IAM roles, AWS recommends that you restrict access to your resources as much as is possible for your workflow.

Workflow trust relationships

Workflow execution roles also require a trust relationship with transfer.amazonaws.com. To establish a trust relationship for AWS Transfer Family, see To establish a trust relationship.

While you're establishing your trust relationship, you can also take steps to avoid the confused deputy problem. For a description of this problem, as well as examples of how to avoid it, see Cross-service confused deputy prevention.

Example execution role: Decrypt, copy, and tag

If you have workflows that include tagging, copying, and decrypt steps, you can use the following IAM policy. Replace each user input placeholder with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CopyRead", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectTagging", "s3:GetObjectVersionTagging" ], "Resource": "arn:aws:s3:::source-bucket-name/*" }, { "Sid": "CopyWrite", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectTagging" ], "Resource": "arn:aws:s3:::destination-bucket-name/*" }, { "Sid": "CopyList", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::source-bucket-name", "arn:aws:s3:::destination-bucket-name" ] }, { "Sid": "Tag", "Effect": "Allow", "Action": [ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::destination-bucket-name/*", "Condition": { "StringEquals": { "s3:RequestObjectTag/Archive": "yes" } } }, { "Sid": "ListBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::destination-bucket-name" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::destination-bucket-name/*" }, { "Sid": "Decrypt", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:region:account-ID:secret:aws/transfer/*" } ] }

Example execution role: Run function and delete

In this example, you have a workflow that invokes an AWS Lambda function. If the workflow deletes the uploaded file and has an exception handler step to act upon a failed workflow execution in the previous step, use the following IAM policy. Replace each user input placeholder with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Delete", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::bucket-name" }, { "Sid": "Custom", "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:region:account-id:function:function-name" ] } ] }