Menu
I've set up a server under Amazon's new AWS Transfer for SFTP managed SFTP service according the user guide, but I've been unable to get it to work with a KMS encryption key. My SFTP client can authenticate fine, but when I attempt to put a file, the file uploads but then fails to save with a Couldn't close file: Failure error.
I have the role associated with my SFTP user in the list of Key Users, but I suspect something in the "step down" policy (that is used to prevent SFTP users from seeing other folders in the associated S3 bucket) is preventing the key from being used, because I tried removing the step-down policy, and then everything worked fine (but that then exposes the entire bucket to every user which is clearly unacceptable).
Any ideas what I need to add to the step-down policy (or the key policy) to allow the KMS key to be used in this way?
508
We found two problems that together caused this same error:
aws s3 cp commands without the --sse:aws:kms flag would fail. Removing that policy made aws s3 cp use the default encryption policy.kms:XXX permissions to the policy attached to the role attached to the SFTP user that we created. All together, our policy now looks like:{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:ListBucket",
"Resource": "${bucket_arn}",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "${bucket_arn}/*",
"Effect": "Allow"
},
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey",
"kms:DescribeKey"
],
"Resource": "${kms_arn}",
"Effect": "Allow"
}
]
}
Applying that to the user made SFTP start working as hoped.
185
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
