Create an SFTP server with AWS Transfer for SFTP
Hideaki Ishii
Posted on July 7, 2019
This post describes how to create an SFTP server on AWS (AWS Transfer for SFTP).
About the overview of AWS Transfer for SFTP, please refer to here.
Decide SFTP Configuration
AWS SFTP can configure:
- DNS configuration
- "None" or "Amazon Route53 DNS alias"
- Identity provider
- "Service Managed" or "Custom"
- Logging role
- Tags
In this post, I decided to configure like:
- DNS configuration
- "None" (Use an endpoint name which AWS creates directly)
- Identity provider
- "Service Managed" (Use the AWS SFTP feature)
Logging role and Tags are not used in this post.
Prepare S3 bucket for SFTP server
AWS SFTP requires an S3 bucket, so let's prepare your bucket first.
In this post, I prepared a bucket named danimal141-sftp-test
, which has a folder named test
as an example.
Create CloudFormation template
To achieve creating an SFTP server, we should do:
- Create an IAM policy
- Create an IAM role
- Create an SFTP server
- Create an SFTP user
- It has the above IAM role
There are many dependencies, so let's use AWS CloudFormation to make the process easier.
The template becomes like this:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SftpAccessPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: SftpAccessPolicy
Description: Sftp access policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 's3:PutObject'
- 's3:GetObject'
- 's3:DeleteObject'
- 's3:GetObjectVersion'
- 's3:DeleteObjectVersion'
Resource: 'arn:aws:s3:::danimal141-sftp-test/test/*'
- Effect: Allow
Action:
- 's3:ListBucket'
- 's3:GetBucketLocation'
Resource: 'arn:aws:s3:::danimal141-sftp-test'
Condition:
StringLike:
's3:prefix': 'test/*'
SftpAccessRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
Service:
- 'transfer.amazonaws.com'
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- !Ref SftpAccessPolicy
SftpServer:
Type: AWS::Transfer::Server
Properties:
EndpointType: PUBLIC
SftpUser:
Type: AWS::Transfer::User
Properties:
UserName: testuser
HomeDirectory: '/danimal141-sftp-test/test'
Role: !GetAtt SftpAccessRole.Arn
ServerId: !GetAtt SftpServer.ServerId
SshPublicKeys:
- YOUR PUBLIC KEY
About IAM policies and roles for SFTP, you could refer to here.
Create CloudFormation stack
Let's create a CloudFormation stack with the above template on the AWS console or aws cloudformation
command.
The important point is that the process requires capabilities: [AWS::IAM::ManagedPolicy, AWS::IAM::Role]
.
We should acknowledge that CloudFormation might create IAM resources with custom names.
After finishing creating the stack successfully, you would be able to see the SFTP server on the AWS console!
And then, you can check the server with sftp
command like:
sftp -i your_ssh_key your_user_name@server_endpoint
sftp> pwd
Remote working directory: /danimal141-sftp/test
sftp> put index.html
Uploading index.html to /danimal141-sftp-test/test/index.html
sftp> rm index.html
Removing /danimal141-sftp-test/test/index.html
sftp> exit
Of course, you could also use an app like Cyberduck or something like that.
Clean up dependencies
Please be careful of forgetting removing the SFTP server, because you are billed on an hourly basis from the time you create and configure your SFTP server, which is provisioned for your dedicated use, until the time you delete the server (Reference: here).
If you use CloudFormation like the above example, it's dead easy to clean up all dependencies.
All you have to do is just deleting the CloudFormation stack!
Summary
- We can create an SFTP server easily with AWS Transfer for SFTP.
- We can create and delete stuff related to the SFTP server easily with AWS CloudFormation.
References
Posted on July 7, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.