I am stuck and not finding any documentation that helps with this. I setup logical directories for a user with the aws command line:

aws transfer --region us-east-1 update-user --user-name test1 
 --server-id "s-12345" 
 --home-directory-type LOGICAL --home-directory-mappings '[{"Entry":"/types/emptytype", "Target":"/bucket/somedir/empty_dir"},{"Entry":"/types/standardevent", "Target":"/bucket/somedir/users/${transfer:UserName}"}]'

This works well. I can log in see all the logical directories and upload/download files. I want to restrict the user to be able to upload/download but not be able to delete files, unless it is in a special directory called OUT.

I am generally finding that if I set any sort of policy (in above command line with –policy), no matter what it is, when I login to test, I can ls -l at the root, but can’t change to any other directories and see files. Why does this break? It seems like the documents say that policies can be mixed with logical directories, but all the examples are trivial and don’t have multiple subdirs like mine above.

EDIT:
Setting a stupid policy:

aws transfer --region us-east-1 update-user --user-name test1 
 --server-id "s-12345" 
 --policy '{"Version": "2012-10-17","Statement": {"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::amzn-s3-demo-bucket"}}' 
 --home-directory-type LOGICAL --home-directory-mappings '[{"Entry":"/types/emptytype", "Target":"/bucket/somedir/empty_dir"},{"Entry":"/types/standardevent", "Target":"/bucket/somedir/users/${transfer:UserName}"}]'

Breaks the SFTP:

sftp [email protected]
Connected to s-12345.server.transfer.us-east-1.amazonaws.com.
sftp> ls
types  
sftp> cd types
sftp> ls
Couldn't read directory: Permission denied

Removing the policy restores working order:

sftp [email protected]
Connected to s-12345.server.transfer.us-east-1.amazonaws.com.
sftp> ls
types  
sftp> cd types
sftp> ls
emptytype         standardevent
sftp> cd standardevent
sftp> ls
1.tsv