Organizations often find themselves needing to make secure file transfers to outside entities such as clients and vendors. Not only do these transfers need to maintain the security and integrity of internal infrastructure, but the process needs to be practical and cost-effective too. Secure-Shell File Transfer Protocol (SFTP) servers used to be the go-to answer for this enterprise requirement, but running these is costly and not necessarily efficient best practice. AWS launched it’s fully managed AWS Transfer for SFTP in answer to this direct dilemma.
Rather than have to go through the costly process of investing time and money to run an infrastructure setup of SFTP servers, AWS Transfer for SFTP removes all such maintenance overheads. AWS SFTP provides access to specific S3 buckets and prefixes per user. Organizations can fully leverage SFTP to upload, download, and delete files to and from these buckets to external entities with ease.
For resource and performance efficiency in file transfers, AWS SFTP leverages elastic resources to auto-scale according to the transfer workload. It’s also possible to configure an SFTP endpoint and set up client access through web, CLI, and API interfaces.
Furthermore, thanks to AWS' mass-service integration for all business-critical environments, AWS Transfer for SFTP supports common internal and external user authentication systems. Authentication simply needs to be set up through custom development and the necessary API Gateway endpoints or by specifying domain names. Administrators can also set custom roles per user to lock down permissions to the S3 storage the files are located in.
Simply open the IAM dashboard and create a new IAM Role before establishing a ‘trust relationship’ with the SFTP Service. Next, create a new IAM policy that enables access to the S3 bucket with SFTP before attaching the policy to the previously created role. We go into this in more detail later in the article.
Finally, it’s possible to set up a secure SFTP server within an organization’s VPC by creating a VPC endpoint right through to configuring an external tool (FileZilla in this example) for your users to connect with. Simply follow these guidelines or leverage your MSP, such as Ibexlabs, to implement this for you:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket_name"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucket_name/*"
}
NOTE:- This role already created by CFT. we can use it.
Policy:-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
Commands :- ssh-keygen
ssh-keygen
Enter the path where the keys need to save
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /opt/BounceX
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /opt/BounceX.
Your public key has been saved in /opt/BounceX.pub.
The key fingerprint is:
SHA256:bBGvsTC8AJl3FcvQtGZtfQhtweEiAYloUTabDVKTBCc
The key's randomart image is:
+---[RSA 2048]----+
| EXXoo**..ooo |
| =*+Ooo.B ++. |
| . .+.= X =.+ . |
| . B B . . |
| . S |
| . |
| |
| |
| |
+----[SHA256]-----+
sftp -i private key username@endpoint
And there you have it. From start to finish, connecting AWS Transfer for SFTP with a VPC endpoint to an SFTP server and external login tool such as FileZilla.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.