This is a pretty straightforward blog and personal documentation on how to set up an SFTP server with s3 bucket as the backend of the SFTP server. I hope you find this helpful as I did. Step 1. Create S3 Bucket from the AWS console. The S3 Bucket will be the place where the files will stay. No custom changes will need to be made to the s3 bucket itself. Step 2. Navigate to AWS Transfer Family service and select .  Where you will be prompted to select , , .  Select SFTP, which stands for SSH File Transfer Protocol. SFTP is a network protocol that provides file access, file transfer, and file management over any reliable data stream. create Server FTP FTPS SFTP Step 3. Next, we need to select an identity provider, which in short is an access layer that will allow certain users to access the SFTP server. You can do this programmatically via lambda and add your own custom identity provider, or in this case, just create a single user at a time use the AWS managed service Step 4. Next, we select and set up our own custom DNS hostname. In this case, we are just going to use AWS generated host that is provided. If you would like this could be modified in the future. Options: None: AWS will create a DNS record such as {some-random-generated-string}.server.transfer.{region}.amazonaws.com. Route 53 Alias: the service will create an alias on Route 53 so you can use a more - friendly name and a subdomain such as . ftps.martinpatino.com Other DNS: 3rd party DNS server option. Step. 5 Just select a domain, which will provide 2 options, here we will just go with Amazon S3 as we will provide user access to an s3 bucket with limited permissions to a specific bucket. Once this step is completed, you will be prompted to review your server summary and confirm, in which your SFTP server will be generated. Step. 6 Configuration of IAM Roles with S3 So after we have created the SFTP server and created the S3 bucket that you would like the user to have access. The next part is to handle user role permissions and policy creation. In our case, we want to restrict users to only being able to view a specific bucket. So just head to IAM create a custom SFTP role for your user in AWS under the service use case of . Transfer You can copy and paste this and modify the field. custom-bucket-name This rule will give the user access to delete, fetch, update and add files to your s3 bucket via FTP. {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::{custom-bucket-name}"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::{custom-bucket-name}/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ] Step.  7 To create a user you will need a username, s3 bucket you want the user to have access to, and the role they are associated with, which would be the one that was created above. Once you bind your new SFTP_COMPANY_ROLE or whatever you called it to the user. In my example below, I am just calling user , but you can call it whatever you want. You will then have the option to set up a policy, which is not required. However, it will help lock down your user to only be able to have access to a specific directory under a certain bucket. usercompany_a AWS Transfer does have an auto-generate policy if you would like to use it, which would look like the example below. {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingOfUserFolder",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::${transfer:HomeBucket}"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "${transfer:HomeFolder}/*",
            "${transfer:HomeFolder}"
          ]
        }
      }
    },
    {
      "Sid": "HomeDirObjectAccess",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
    }
  ]
} The final step is add SSH Public Key, which the user should provide to you. The user will the use their own private key to connect to the SFTP via some SFTP client. This is a required field as without it. Your users will not  be able to connect. The last step is to add the user’s Public Key. They will need their Private Key to connect to the SFTP Server. If you don’t add the Public Key, the users can connect without any credentials. Test Time It’s time to test the SFTP connection. I use CyberDuck, which is available on both Mac/Windows. Try to connect and if everything is setup correctly, you should be able to see the content in you S3 bucket. You should even be able to upload files from your SFTP client. Success!!! Hope you enjoy learning a bit! First Published here

Amazon

Fetch

Intro Guide to Setting up a Custom Hashnode Blog Sub Domain on Netlify

How to 'Architect' an Easy Way into the Serverless World

Read My Stories

Nominated for 2022 - HackerNoon Contributor of the Year - Serverless

Too Long; Didn't Read

Make resilience your competitive advantage

How to Set Up an SFTP Server with S3

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

How to 'Architect' an Easy Way into the Serverless World

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

How to 'Architect' an Easy Way into the Serverless World

101 Stories To Learn About Cloud Infrastructure

10 Things in Engineering We Don't Spend Enough Time On

10 Things I Did To Increase CloudTrail Logs Security

10 reasons to give cloud computing a go

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps