With ACL command options, SFTP Gateway will add a Canned ACL for each object uploaded to S3. This is necessary for certain use cases, such as cross account S3 access.

The AWS account that creates an object is the resource owner. And by default, there’s an ACL that grants the resource owner full control.

The problem arises when uploading S3 objects to another AWS account. While the resource owner can see the objects, the other AWS account (i.e. the bucket owner) cannot.

The solution is to add a second grantee to the ACL, giving the bucket owner full control over the object. This way, the object can be accessed by both AWS accounts.

Edit the config file for the user:

vi /home/robtest/.sftpgateway/user.properties

And append the following line:

acl.option=7

Option 7 represents a Canned ACL called bucket-owner-full-control. Any object uploaded from this point forward can be accessed by both AWS accounts.

Here’s a list of Canned ACLs supported by SFTP Gateway (see this page for more details):

  • 1: private
  • 2: public-read
  • 3: public-read-write
  • 4: aws-exec-read
  • 5: authenticated-read
  • 6: bucket-owner-read
  • 7: bucket-owner-full-control
  • 8: log-delivery-write

Restricted IAM role

If you have restricted the S3 access on the EC2 role by following the “Restrict S3 access on your IAM policy”, then you will need to add additional actions to allow EC2 to modify the ACL options on the S3 objects.

Add the "s3:putObjectAcl", and "s3:getObjectAcl" to the IAM role attached to your EC2 instance.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:putObject",
                "s3:putObjectAcl",
                "s3:getObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::sftpgateway-i-0604b04b42faf2dab/*"
            ]
        }
    ]
}