Setting up
Last updated
Was this helpful?
Last updated
Was this helpful?
Note You don't have to use a server and Amazon S3 bucket that are in the same AWS Region, but we recommend this as a best practice.
Note You can use Amazon S3 Object Lock to prevent objects from being overwritten for a fixed amount of time or indefinitely. This works the same way with Transfer Family as with other services. If an object exists and is protected, writing to that file or deleting it is not allowed. For more details on Amazon S3 Object Lock, see in the Amazon Simple Storage Service User Guide.
Note AWS Transfer Family does not currently support Amazon S3 Multi-Region Access Points.
Note
This policy does not allow for appending to a file. That is, a user that is assigned to this policy cannot open files to add content to them, or to modify them. Also, if your use case involves issuing a HeadObject
call before uploading a file, this policy won't work for you.
Note When you use a Transfer Family server and an Amazon EFS file system, the server and the file system must be in the same AWS Region.
Note When you are creating a service-managed Transfer Family user, you can select Auto-generate policy based on home folder. This is a useful shortcut if you want to limit user access to their own folders. Also, you can view details about session policies and an example in . You can also find more information about session policies in in the IAM User Guide.
Note In the examples above, replace each user input placeholder with your own information.
Note
The maximum length of a session policy is 2048 characters. For more details, see the for the CreateUser
action in the API reference.
Note If your Amazon S3 bucket is encrypted using AWS Key Management Service (AWS KMS), you must specify additional permissions in your policy. For details, see . Additionally, you can see more information about in the IAM User Guide.
Note
In the preceding policy, it is assumed that users have their home directories set to include a trailing slash, to signify that it is a directory. If, on the other hand, you set a user's HomeDirectory
without the trailing slash, then you should include it as part of your policy.
Note
If you are using Logical directories—that is, the user's homeDirectoryType
is LOGICAL
—these policy parameters (HomeBucket
, HomeDirectory
, and HomeFolder
) are not supported.
Note
In the following example, replace bucket_name with the name of your S3 bucket.
Also, note that the GetObjectACL
and PutObjectACL
statements are only required if you are doing Cross Account Access. That is, your Transfer Family server needs to access a bucket in a different account.
Note In addition to the policy, you must also make sure your POSIX file permissions are granting the appropriate access. For more information, see in the Amazon Elastic File System User Guide.
Note In the following examples, replace region with your region, account-id with the account the file is in, and file-system-id with the ID of your Amazon Elastic File System (Amazon EFS).