Create an SFTP server with AWS Transfer for SFTP

danimal141

Hideaki Ishii

Posted on July 7, 2019

Create an SFTP server with AWS Transfer for SFTP

This post describes how to create an SFTP server on AWS (AWS Transfer for SFTP).
About the overview of AWS Transfer for SFTP, please refer to here.

Decide SFTP Configuration

AWS SFTP can configure:

  • DNS configuration
    • "None" or "Amazon Route53 DNS alias"
  • Identity provider
    • "Service Managed" or "Custom"
  • Logging role
  • Tags

In this post, I decided to configure like:

  • DNS configuration
    • "None" (Use an endpoint name which AWS creates directly)
  • Identity provider
    • "Service Managed" (Use the AWS SFTP feature)

Logging role and Tags are not used in this post.

Prepare S3 bucket for SFTP server

AWS SFTP requires an S3 bucket, so let's prepare your bucket first.

In this post, I prepared a bucket named danimal141-sftp-test, which has a folder named test as an example.

Create CloudFormation template

To achieve creating an SFTP server, we should do:

  • Create an IAM policy
  • Create an IAM role
  • Create an SFTP server
  • Create an SFTP user
    • It has the above IAM role

There are many dependencies, so let's use AWS CloudFormation to make the process easier.
The template becomes like this:



AWSTemplateFormatVersion: '2010-09-09'

Resources:
  SftpAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: SftpAccessPolicy
      Description: Sftp access policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 's3:PutObject'
              - 's3:GetObject'
              - 's3:DeleteObject'
              - 's3:GetObjectVersion'
              - 's3:DeleteObjectVersion'
            Resource: 'arn:aws:s3:::danimal141-sftp-test/test/*'
          - Effect: Allow
            Action:
              - 's3:ListBucket'
              - 's3:GetBucketLocation'
            Resource: 'arn:aws:s3:::danimal141-sftp-test'
            Condition:
              StringLike:
                's3:prefix': 'test/*'

  SftpAccessRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: 'Allow'
            Principal:
              Service:
                - 'transfer.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      ManagedPolicyArns:
        - !Ref SftpAccessPolicy

  SftpServer:
    Type: AWS::Transfer::Server
    Properties:
      EndpointType: PUBLIC

  SftpUser:
    Type: AWS::Transfer::User
    Properties:
      UserName: testuser
      HomeDirectory: '/danimal141-sftp-test/test'
      Role: !GetAtt SftpAccessRole.Arn
      ServerId: !GetAtt SftpServer.ServerId
      SshPublicKeys:
        - YOUR PUBLIC KEY


Enter fullscreen mode Exit fullscreen mode

About IAM policies and roles for SFTP, you could refer to here.

Create CloudFormation stack

Let's create a CloudFormation stack with the above template on the AWS console or aws cloudformation command.

The important point is that the process requires capabilities: [AWS::IAM::ManagedPolicy, AWS::IAM::Role].
We should acknowledge that CloudFormation might create IAM resources with custom names.

After finishing creating the stack successfully, you would be able to see the SFTP server on the AWS console!
And then, you can check the server with sftp command like:



sftp -i your_ssh_key your_user_name@server_endpoint

sftp> pwd
Remote working directory: /danimal141-sftp/test

sftp> put index.html
Uploading index.html to /danimal141-sftp-test/test/index.html

sftp> rm index.html
Removing /danimal141-sftp-test/test/index.html

sftp> exit


Enter fullscreen mode Exit fullscreen mode

Of course, you could also use an app like Cyberduck or something like that.

Clean up dependencies

Please be careful of forgetting removing the SFTP server, because you are billed on an hourly basis from the time you create and configure your SFTP server, which is provisioned for your dedicated use, until the time you delete the server (Reference: here).

If you use CloudFormation like the above example, it's dead easy to clean up all dependencies.
All you have to do is just deleting the CloudFormation stack!

Summary

  • We can create an SFTP server easily with AWS Transfer for SFTP.
  • We can create and delete stuff related to the SFTP server easily with AWS CloudFormation.

References

💖 💪 🙅 🚩
danimal141
Hideaki Ishii

Posted on July 7, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related