The AWS Transfer family is a fully managed SFTP service for S3.

The AWS Transfer Family helps you seamlessly migrate your file transfer workflows to AWS by integrating with existing authentication systems, and providing DNS routing with Amazon Route 53 so nothing changes for your customers and partners, or their applications. With your data in Amazon S3, you can use it with AWS services for processing, analytics, machine learning, and archiving.

In this blog we are going to setup SFTP server with key based authentication.

Steps:

  • Create a Sftp server .
  • Add user and create a role for accessing S3 bucket.
  • Transfer files using client.

Step 1: Create a sftp server

  • Select “SFTP-file transfer over Secure Shell” and click “Next”
  • Select “Server managed” and then “Next”
  • In this step , we choose the End Point, in this blog we are using public endpoint which is accessible from any where and in “Custom hostname” we select “None”.
In Custom hostname you can use external DNS name from any provider.
  • Create a Cloudwatch logging role if you want the log of user activity.

Navigate to the IAM policy and create a policy with below json

{
"Version": "2012-10-17",
"Statement": [
{
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
          "logs:CreateLogStream",
          "logs:DescribeLogStreams",
          "logs:CreateLogGroup",
          "logs:PutLogEvents"
          ],
          "Resource": "*"
          }
      ]        
  }  

Add the role in CloudWatch logging

Click “Next”

  • Now You can see the server is created

Step 2: Add User

If you use a service-managed identity type, you add users to your file transfer protocol-enabled server. When you do so, each user name must be unique on your server.

  • Open the Sftp Server

Click on Server ID , it will open the sftp console

  • Click on “Add user”
  • Add user configuration and create a role for accessing S3 bucket

Create policy for accessing S3 bucket
paste the below json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::bucketname"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:PutObjectAcl",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::bucketname/*"
        }
    ]
}

Click “Save”
Create a role e.g Role-for-accessing-S3 and make sure that the Transfer service is choose
attched the policy that we created in above step

Note: you can also restrict the user to use its folder only

  • Create Public key for the user using putty gen and paste in public keys and save it as private key for users to connect

click “Add”

As you can see in the AWS Transfer family console user is created

Step 3: Transfer files using client

open winscp
Copy the Endpoint from the AWS Transfer family console

Add the user name in User name text field and Private key in the Advance tab and then Login
As you can see you are connected to S3 bucket using AWS Transfer family

Note: if you are not able to transfer files to S3 Bucket then check your IAM Role for S3

Congratulations…… You follow all the steps and setup the AWS Transfer

Your email address will not be published. Required fields are marked *