Setting Up an SFTP Server on AWS


Travers Annan

Sometimes you just need a quick and secure solution to share some files between multiple users.

In AWS, there is a service called the AWS Transfer Family that works with Amazon S3 to help users securely move and store files in the cloud. There are several transfer protocol options available, namely FTP, FTPS, and SFTP. In this article, we will explore how to deploy and use a serverless SFTP solution in the AWS cloud.

To deploy our SFTP server, we will be creating the following resources:

  • An S3 bucket
  • An IAM role
  • A Transfer Server (using SFTP)

Manual Deployment Steps

First, create an encrypted S3 bucket with a deletion policy set to Retain (if you deploy it using CloudFormation) and all public access disabled. This will be the filesystem for our SFTP server, and we will be pointing our users here later. Next, create an IAM role with the policies below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

{
    "Policies": [
        {
            "PolicyName": "S3FullAccess",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:ListAllMyBuckets",
                            "s3:GetBucketLocation"
                        ],
                        "Resource": "*"
                    }
                ]
            }
        },
        {
            "PolicyName": "AllowListingOfUserFolder",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:ListBucket"
                        ],
                        "Resource": {
                           <YOUR-S3-BUCKET-ARN>
                        }
                    }
                ]
            }
        },
        {
            "PolicyName": "HomeDirObjectAccess",
            "PolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:PutObject",
                            "s3:GetObject",
                            "s3:GetObjectVersion",
                            "s3:DeleteObject",
                            "s3:DeleteObjectVersion"
                        ],
                        "Resource": {
                            <YOUR-S3-BUCKET-ARN>
                        }
                    }
                ]
            }
        }
    ]
}

These policies will allow users in your SFTP server to upload, download, and delete files in the S3 bucket.

Finally, create an SFTP server using the AWS Transfer Family service by following the steps below:

  1. Navigate to the AWS Transfer Family Service in the AWS Console.
  2. Click on “Create Server”.
  3. Select SFTP and click “Next”.
  4. Select “Service Managed” as the identity provider and click “Next”.
  5. Select “Publicly Accessible” as the endpoint type and click “Next”.
  6. Select “Create a new role” as the logging role, select “TransferSecurityPolicy-2020-06” as the Security Policy, then click “Next”.
  7. Click “Create Server”.

Deploying with CloudFormation

To deploy the necessary resources using CloudFormation, use a template like the one below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy resources for sftp server

Resources:
  sftpBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  sftpRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - transfer.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: S3FullAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:ListAllMyBuckets
                  - s3:GetBucketLocation
                Resource: "*"
        - PolicyName: AllowListingOfUserFolder
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:ListBucket
                Resource: !GetAtt sftpBucket.Arn
        - PolicyName: HomeDirObjectAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:PutObject
                  - s3:GetObject
                  - s3:GetObjectVersion
                  - s3:DeleteObject
                  - s3:DeleteObjectVersion
                Resource: !Sub "${sftpBucket.Arn}/*"
  sftpServer:
    Type: AWS::Transfer::Server
    Properties:
      EndpointType: PUBLIC
      IdentityProviderType: SERVICE_MANAGED
      Protocols:
        - SFTP
      SecurityPolicyName: TransferSecurityPolicy-2020-06

Adding Users

Now that the resources are deployed, it’s time to add users to the SFTP server. Select the server you just created in the AWS Transfer Family console and click on the “Add User” button. You should see something like the images below:

Adding users to AWS SFTP deployment

Enter the username you want to add, and select the role you created earlier as the access role. Leave the policy as “None”, and choose the S3 bucket you created earlier as the home directory. Generate an SSH key for your user and paste the public key into the SSH public key field. Tag appropriately, then click “Add”.

Congratulations, you’ve just added a user to your SFTP server! You can now connect to the server via your SFTP access method of choice with the user you created, your SSH key, and the server endpoint. Happy transferring.


Travers Annan

Orbit

Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?