function Get-SftpUserDefaultSecretString {
    <#
.SYNOPSIS
    Returns the default string for an SFTP user AWS Secret.

.DESCRIPTION
    Returns the default string for an SFTP user AWS Secret.  This structure must match exactly the expectations of the SFTP Authentication Lambda.

.PARAMETER BucketName
    [string] The target SFTP S3 Bucket name for the environment.

.PARAMETER HomeDirSuffix
    [string] The relative path in the target SFTP S3 bucket to jail the user's home directory.

.PARAMETER KmsArn
    [string] The ARN of the KMS key used for SFTP S3 bucket object encryption for the environment.

.PARAMETER RoleArn
    [string] The ARN of the IAM role used by the SFTP Transfer Server for the environment.

.PARAMETER PasswordHash
    [string] The hashed password for the SFTP user.
#>

    [CmdletBinding()]
    [OutputType([string])]
    param(
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $BucketName,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $HomeDirSuffix,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $KmsArn,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $RoleArn,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $PasswordHash
    )

    $policyObj = @{
        Version   = '2012-10-17'
        Statement = @(
            @{
                Sid      = 'KMSAccess'
                Action   = @(
                    'kms:Decrypt',
                    'kms:Encrypt',
                    'kms:GenerateDataKey'
                )
                Effect   = 'Allow'
                Resource = $KmsArn
            },
            @{
                Sid       = 'AllowListingOfUserFolder'
                Action    = @(
                    's3:ListBucket'
                )
                Effect    = 'Allow'
                Resource  = @(
                    "arn:aws:s3:::$BucketName"
                )
                Condition = @{
                    StringLike = @{
                        's3:prefix' = @(
                            "$HomeDirSuffix/*",
                            "$HomeDirSuffix"
                        )
                    }
                }
            },
            @{
                Sid      = 'AWSTransferRequirements'
                Effect   = 'Allow'
                Action   = @(
                    's3:ListAllMyBuckets',
                    's3:GetBucketLocation'
                )
                Resource = '*'
            },
            @{
                Sid      = 'HomeDirObjectAccess'
                Effect   = 'Allow'
                Action   = @(
                    's3:PutObject',
                    's3:GetObject',
                    's3:DeleteObjectVersion',
                    's3:DeleteObject',
                    's3:GetObjectVersion'
                )
                Resource = @(
                    "arn:aws:s3:::$BucketName/$HomeDirSuffix/*"
                )
            }
        )
    }

    $homeDirObj = @(
        @{
            Entry  = '/'
            Target = "/$BucketName/$HomeDirSuffix"
        }
    )

    $policyStr = (ConvertTo-Json -InputObject $policyObj -Compress -Depth 10)
    $homeDirStr = (ConvertTo-Json -InputObject $homeDirObj -Compress -Depth 10)

    $object = @{
        Password             = $PasswordHash
        Role                 = $RoleArn
        Policy               = $policyStr
        HomeDirectoryDetails = $homeDirStr
    }

    return (ConvertTo-Json -InputObject $object)
}