Organizations often need to securely transfer files to outside entities such as clients and vendors. These transfers need to maintain the security and integrity of internal infrastructure while also maintaining a practical and cost-effective process. Secure-Shell File Transfer Protocol (SFTP) servers used to be the “go-to” answer for this enterprise requirement, but running them is costly and not necessarily the most efficient best practice. To solve this challenge, AWS launched its fully managed AWS Transfer Family.
Rather than undergoing the costly and time-consuming process of SFTP server infrastructural setup, AWS Transfer Family for SFTP eliminates this maintenance overhead. It provides access to specific S3 buckets and prefixes for each user. Organizations can fully leverage SFTP to upload, download, and delete files to and from these buckets, and easily transfer them to external entities.
For resource and performance efficiency in file transfers, as a managed resource, AWS Transfer Family leverages elastic resources on the backend to auto-scale in accordance with the transfer workload, and without human intervention. It’s also possible to configure a VPC-enabled AWS Transfer Family endpoint and set up client access through web, CLI, and API interfaces.
AWS Transfer Family also supports common internal and external user authentication systems. These can include internal users that are service-managed, or other users-types in AD groups, which are located either in the AWS cloud or on-premises (or both). Authentication can also be implemented through custom development using Lambda or an API gateway.
It’s also possible to set up a secure SFTP server within an organization’s custom VPC by creating a VPC-enabled transfer family endpoint right through to configuring an external tool (FileZilla in this example) user connection. Simply follow these guidelines or leverage your relationship with your managed service provider, such as Ibexlabs, to implement it for you.
Step #1: Create an IAM Policy to Upload/Download Objects to Target S3 Bucket
Before provisioning the AWS Transfer Family Configuration, you must create an IAM Role with the mentioned policy and trust relationship, giving transfer family the requisite permissions to access the target S3 bucket. In the example below, replace <target-s3-bucket> with the actual name of the S3 bucket
IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<target-s3-bucket>",
"arn:aws:s3:::<target-s3-bucket>/*"
]
}
]
}
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Step #2: Provision AWS Transfer Family for SFTP Server
Step #3: Create an Internal User
A server-managed user is a Transfer Family managed user that is created to enable external provider access to the target S3 bucket.
Commands: ssh-keygen
ssh-keygen
Enter the path where the keys need to save
Generate public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /opt/BounceX
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /opt/BounceX
Your public key has been saved in /opt/BounceX.pub
The key fingerprint is:
SHA256:bBGvsTC8AJl3FcvQtGZtfQhtweEiAYloUTabDVKTBCc
The key's randomart image is:
+---[RSA 2048]----+
| EXXoo**..ooo |
| =*+Ooo.B ++. |
| . .+.= X =.+ . |
| . B B . . |
| . S |
| . |
| |
| |
| |
+----[SHA256]-----+
Step #5: External Login to the SFTP Server
sftp -i <private key> username@endpoint
Now you are able to connect AWS Transfer Family for SFTP with a VPC-enabled endpoint to an external login tool such as FileZilla.
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored for you.