When using the AWS console to configure a Transfer Family User for an sFTP server, there is a 'Restricted' checkbox that prevents the user from moving out of their home directory.
I am trying to configure a user with the Python CDK (v2.61), but there is no 'restricted' parameter. I've read online that using a home_directory_mapping in the following way when creating the user can achieve the same result:
home_directory_mappings=[
transfer.CfnUser.HomeDirectoryMapEntryProperty(
entry="/",
target="/<bucket_name>/<folder_name>"
)
]
Unfortunately this does not seem to work - I am still able to cd .. and the 'Restricted' checkbox does not end up checked.
Does anyone know how to configure this option in CDK?
CodePudding user response:
Since this is an L1 construct, it works exactly the same as in CloudFormation. Set the HomeDirectoryType to LOGICAL in order to get the chroot jail effect.
You must also ensure that the directory exists first, otherwise the mapping has no effect.
In many cases, you'll want the attached policy to also prohibit access outside of desired S3 directories, which will also prevent access via cd .. even if you don't configure the chroot jail ("restricted") access.
CodePudding user response:
After the above answer from sytech, and some further experimenting, I came up with a satisfactory solution:
- Set
home_directory_typetoLOGICAL - Use the
home_directory_mappingsas in my original post - DO NOT set
home_directory
I followed these 3 points and now the 'Restricted' checkbox shows up.
transfer.CfnUser(
scope=self,
id=id_,
# DO NOT user home_directory
home_directory_type="LOGICAL",
home_directory_mappings = [
transfer.CfnUser.HomeDirectoryMapEntryProperty(
entry="/",
target="/<bucket_name>/<folder_name>"
)
]
)