Managing access controls - Amazon Transfer Family
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access controls

You can control a user's access to Amazon Transfer Family resources by using an Amazon Identity and Access Management (IAM) policy. An IAM policy is a statement, typically in JSON format, that allows a certain level of access to a resource. You use an IAM policy to define what file operations that you want to allow your users to perform and not perform. You can also use an IAM policy to define what Amazon S3 bucket or buckets that you want to give your users access to. To specify these policies for users, you create an IAM role for Amazon Transfer Family that has the IAM policy and trust relationship associated with it.

Each user is assigned an IAM role. The type of IAM role that Amazon Transfer Family uses is called a service role. When a user logs in to your server, Amazon Transfer Family assumes the IAM role mapped to the user. To learn about creating an IAM role that provides a user access to an Amazon S3 bucket, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide.

You can grant write-only access to Amazon S3 objects by using certain permissions within an IAM policy. For details, see Grant ability to only write and list files.

The Amazon Storage Blog contains a post detailing how to set up least privilege access. For details, see Implementing least privilege access in an Amazon Transfer Family workflow.

Note

If your Amazon S3 bucket is encrypted using Amazon Key Management Service (Amazon KMS), you must specify additional permissions in your policy. For details, see Data encryption in Amazon S3. Additionally, you can see more information about session policies in the IAM User Guide.

Topics