Organizations often need to securely transfer files to outside entities such as clients and vendors. These transfers need to maintain the security and integrity of internal infrastructure while also maintaining a practical and cost-effective process. Secure-Shell File Transfer Protocol (SFTP) servers used to be the “go-to” answer for this enterprise requirement, but running them is costly and not necessarily the most efficient best practice. To solve this challenge, AWS launched its fully managed AWS Transfer Family.

Reduce Costly SFTP Overheads

Rather than undergoing the costly and time-consuming process of SFTP server infrastructural setup, AWS Transfer Family for SFTP eliminates this maintenance overhead. It provides access to specific S3 buckets and prefixes for each user. Organizations can fully leverage SFTP to upload, download, and delete files to and from these buckets, and easily transfer them to  external entities.

For resource and performance efficiency in file transfers, as a managed resource, AWS Transfer Family leverages elastic resources on the backend to auto-scale in accordance with the transfer workload, and without human intervention. It’s also possible to configure a VPC-enabled AWS Transfer Family endpoint and set up client access through web, CLI, and API interfaces.

Integration of AWS IAM with AWS Transfer for SFTP

AWS Transfer Family also supports common internal and external user authentication systems. These can include internal users that are service-managed, or other users-types in AD groups, which are located either in the AWS cloud or on-premises (or both). Authentication can also be implemented through custom development using Lambda or an API gateway. 

It’s also possible to set up a secure SFTP server within an organization’s custom VPC by creating a VPC-enabled transfer family endpoint right through to configuring an external tool (FileZilla in this example) user connection. Simply follow these guidelines or leverage your relationship with your managed service provider, such as Ibexlabs, to implement it for you. 

Step #1: Create an IAM Policy to Upload/Download Objects to Target S3 Bucket

Before provisioning the AWS Transfer Family Configuration, you must create an IAM Role with the mentioned policy and trust relationship, giving transfer family the requisite permissions to access the target S3 bucket.  In the example below, replace with the actual name of the S3 bucket

IAM policy:

{

        “Version”: “2012-10-17”,

        “Statement”: [

                 {

                             “Sid”: “VisualEditor0”,

                             “Effect”: “Allow”,

                             “Action”: [

                                                 “s3:PutObject”,

                                                 “s3:GetObject”,

                                                 “s3:ListBucket”,

                                                 “s3:DeleteObject”

                                                 ],

                              “Resource”: [

                                         “arn:aws:s3:::“,

                                         “arn:aws:s3:::/*”

                                          ]

                      }

          ]

}

Trust Relationship:

{

        “Version”: “2012-10-17”,

         “Statement”: [

                 {

                               “Sid”: “”,

                               “Effect”: “Allow”,

                               “Principal”: {

                                                           “Service”: “transfer.amazonaws.com”

                          },

                          “Action”: “sts:AssumeRole”

                 }

        ]

}

Step #2: Provision AWS Transfer Family for SFTP Server

  • In the AWS console, search for AWS Transfer Family and select Servers, as shown in the screenshot below: 
  • Choose protocols: SFTP (SSH File Transfer Protocol) – file transfer over Secure Shell and Click Next: 
64a43d0bb8c164bc1832e22e Xl An2kmOWZmRc5GwauUEC8uY5eLCPAuwJyehZ9cK7fR2mKp
  • Choose Identity provider type: Select Service managed and Click Next. This is used to create internal users within the Transfer Family.
64a43d0bff5f1676dffc806c XJDTkRUwtqbxRe9VdkfWOACDD1myE ka0AvN8vsED0U5IfZWsycI8Ov HK7X z f6A81oCW6Nt1lm6FYCI4H0J6d9Uz26qC DdnXW7ivFdCBx 3mXuQbz8RSgCqkT5aWPVfcveYqLeQC6VWkn63B8A
  •  Select the Endpoint Select VPC hosted as the endpoint type and select “Internet facing” to connect to external resources. 
  • Custom VPC with public subnets as selected, assigning the EIP for each availability zone and a custom security group to manage access and Click Next.
64a43d0be272686b42655c2d u 5mR6I5JHbT1R5HwcWCHhM87QW3U1eHdXEW4x8CB
  • Select the domain as Amazon S3. The target S3 bucket stores the required objects.
64a43d0bfbf4b849dc331d71 ufTflUMAIlkGe5TecOxUjWU7VqhlGl3bqVugxy0VJvtxXcxEtKi2XUR9pit2PkvnSu4WQo52eIA MPvh6TA6Soo6XaMHesGBzfP6YL9lpIuUDCJn7c72B5O9dUNA3qMxaXNGPj WlndzU nAHh9g2g

  • To enable CloudWatch logging, chose the creation of a role for logging the data of all incoming and  outgoing file transfers.
  • Click Next and finally review to provision the transfer family for SFTP server.
64a43d0b606f7384c3c54283 YXOliV324b6kuSQL7blh oZK4EilxVPHVm61NtC8mCccO2zWCJ8o9wbw3Ik8YdDlJYamMrbKEobMR0tLCUvQXgy nwx5Nt6 h5q7

Step #3: Create an Internal User

 A server-managed user is a Transfer Family managed user that is created to enable external provider access to the target S3 bucket.

  • Create a SSH key, generating a public and private key to authenticate the service managed user when connecting to the Transfer Family host.

    To generate the keypairs:

Commands:  ssh-keygen

ssh-keygen 

Enter the path where the keys need to save

Generate public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): /opt/BounceX

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /opt/BounceX

Your public key has been saved in /opt/BounceX.pub

The key fingerprint is:

SHA256:bBGvsTC8AJl3FcvQtGZtfQhtweEiAYloUTabDVKTBCc 

The key’s randomart image is:

+—[RSA 2048]—-+

|  EXXoo**..ooo   |

|  =*+Ooo.B ++.   |

| . .+.= X =.+ .  |

|     . B B . .   |

|      . S        |

|       .         |

|                 |

|                 |

|                 |

+—-[SHA256]—–+

  • Configure the S3 bucket to which you wish to transfer. Input the path to the Home directory where user end up when they log in using their SFTP client.
  • Create a user with a previously created custom IAM Role to access an S3 bucket. Input the SSH public key data from the SSH key pair (Add id_rsa.pub), and share the private key with the user.

Step #5: External Login to the SFTP Server

  1. Login to the SFTP Server using the command line interface:

sftp  -i username@endpoint

  1. Login to the SFTP Server using FileZilla:
  • Open FileZilla and click on the ‘Open the site manager’ button as shown in the image below.
64a43d0b5912119f54af13f7 5wIIs1sjr xMpKC8oIqo9ZN2tlFccf6R2CylTpS74bInU7

  • Enter the following required details, as numbered in the next image below:
    Click on ‘New Site’
  • Edit the New Site to Name
  • Go to the ‘General’ tab and enter the ‘Host’ name
  • Enter the ‘Port’ number
  • Select the ‘Protocol’ type: ‘SFTP – SSH File Transfer Protocol’ 
  • Choose ‘Key file’ in ‘Logon Type’ 
  • Enter the ‘User’ name 
  • And ‘Browse’ to find the ‘Key file’
  • Click on the ‘Connect’ button to finish and connect the SFTP server
64a43d0cd1825b3fa6387ecc SzLm1LTwM9U d5tdPFLmkpWkTJjuC zyscfGsfu7nTXJ4TBQZXV Fct mteFql xNmLzb6igJwWbQtpHmgOUXI2gihEnSeL6d WmJ63guc8n 5DcU6EjPmtyNh9PMr8MThuKubBvz WeBCZa 52Tyg

Now you are able to connect AWS Transfer Family for SFTP with a VPC-enabled endpoint to an external login tool such as FileZilla.

Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored for you.