The AWS Transfer Family is a comprehensive SFTP service for S3 that is fully managed.
By leveraging existing authentication systems and incorporating DNS routing through Amazon Route 53, the AWS Transfer Family facilitates a seamless transition of your file transfer workflows to AWS. This ensures that there are no disruptions for your customers, partners, or their applications. Once your data is stored in Amazon S3, you can leverage the full range of AWS services for tasks such as processing, analytics, machine learning, and archiving.
In this blog post, we will guide you through the process of setting up an SFTP server with key-based authentication. The steps involved are as follows:
- Create an SFTP server.
- Configure a user and establish a role to access the S3 bucket.
- Initiate file transfers using a client.
Step 1. Create a SFTP Server
- Open AWS Transfer Family console https://console.aws.amazon.com/transfer/
- Click “Create Server“
3. Select “SFTP-file transfer over Secure Shell” and click “Next”
4. Select “Service managed” and then “Next”
5. We select the End Point for our setup. In this particular blog, we opt for a public endpoint that can be accessed from anywhere. Additionally, for the “Custom hostname” setting, we choose “None.”
In Custom hostname you can use external DNS name from any provider.
6. Create a Cloudwatch logging role if you want the log of user activity.
Navigate to the IAM policy and create a policy with below json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
} Add the role in CloudWatch logging
Click “Next”
7. Click “Create Server”
Now You can see the server is created
Step 2: Add User
If you use a service-managed identity type, you add users to your file transfer protocol-enabled server. When you do so, each user name must be unique on your server.
- Open the SFTP Server
Click on Server ID , it will open the SFTP console
2. Click on “Add user”
3. Add user configuration and create a role for accessing S3 bucket
Create policy for accessing S3 bucket
Paste the below json and replace the bucketname as desired
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/*"
}
]
}Click “Save”
Create a role e.g Role-for-accessing-S3 and make sure that the Transfer service is choosen.
Attach the policy that we created in above step
Add the role in user configurartion
Note: you can also restrict the user to use its folder only
3. Create Public key for the user using putty gen and paste in public keys and save it as private key for users to connect
click “Add”
As you can see in the AWS Transfer family console user is created
Step 3: Transfer files using client
Open winscp or your favourite client
Copy the Endpoint from the AWS Transfer family console.
Add the user name in User name text field and Private key in the Advance tab and then Login
Thats it!