AWS Transfer for SFTP Explained: A VPC Use Case

Organizations often need to securely transfer files to outside entities such as clients and vendors. These transfers need to maintain the security and integrity of internal infrastructure while also maintaining a practical and cost-effective process. Secure-Shell File Transfer Protocol (SFTP) servers used to be the “go-to” answer for this enterprise requirement, but running them is costly and not necessarily the most efficient best practice. To solve this challenge, AWS launched its fully managed AWS Transfer Family.

Reduce Costly SFTP Overheads

Rather than undergoing the costly and time-consuming process of SFTP server infrastructural setup, AWS Transfer Family for SFTP eliminates this maintenance overhead. It provides access to specific S3 buckets and prefixes for each user. Organizations can fully leverage SFTP to upload, download, and delete files to and from these buckets, and easily transfer them to  external entities.

For resource and performance efficiency in file transfers, as a managed resource, AWS Transfer Family leverages elastic resources on the backend to auto-scale in accordance with the transfer workload, and without human intervention. It’s also possible to configure a VPC-enabled AWS Transfer Family endpoint and set up client access through web, CLI, and API interfaces.

Integration of AWS IAM with AWS Transfer for SFTP

AWS Transfer Family also supports common internal and external user authentication systems. These can include internal users that are service-managed, or other users-types in AD groups, which are located either in the AWS cloud or on-premises (or both). Authentication can also be implemented through custom development using Lambda or an API gateway. 

It’s also possible to set up a secure SFTP server within an organization’s custom VPC by creating a VPC-enabled transfer family endpoint right through to configuring an external tool (FileZilla in this example) user connection. Simply follow these guidelines or leverage your relationship with your managed service provider, such as Ibexlabs, to implement it for you. 

Step #1: Create an IAM Policy to Upload/Download Objects to Target S3 Bucket

Before provisioning the AWS Transfer Family Configuration, you must create an IAM Role with the mentioned policy and trust relationship, giving transfer family the requisite permissions to access the target S3 bucket.  In the example below, replace with the actual name of the S3 bucket

IAM policy:
‍

{

        “Version”: “2012-10-17”,

        “Statement”: [

                 {

                             “Sid”: “VisualEditor0”,

                             “Effect”: “Allow”,

                             “Action”: [

                                                 “s3:PutObject”,

                                                 “s3:GetObject”,

                                                 “s3:ListBucket”,

                                                 “s3:DeleteObject”

                                                 ],

                              “Resource”: [

                                         “arn:aws:s3:::“,

                                         “arn:aws:s3:::/*”

                                          ]

                      }

          ]

}

Trust Relationship:

{

        “Version”: “2012-10-17”,

         “Statement”: [

                 {

                               “Sid”: “”,

                               “Effect”: “Allow”,

                               “Principal”: {

                                                           “Service”: “transfer.amazonaws.com”

                          },

                          “Action”: “sts:AssumeRole”

                 }

        ]

}

‍

‍Step #2: Provision AWS Transfer Family for SFTP Server

• In the AWS console, search for AWS Transfer Family and select Servers, as shown in the screenshot below: 

• Choose protocols: SFTP (SSH File Transfer Protocol) – file transfer over Secure Shell and Click Next: 

• Choose Identity provider type: Select Service managed and Click Next. This is used to create internal users within the Transfer Family.

•  Select the Endpoint Select VPC hosted as the endpoint type and select “Internet facing” to connect to external resources. 
• Custom VPC with public subnets as selected, assigning the EIP for each availability zone and a custom security group to manage access and Click Next.

• Select the domain as Amazon S3. The target S3 bucket stores the required objects.

• To enable CloudWatch logging, chose the creation of a role for logging the data of all incoming and  outgoing file transfers.
• Click Next and finally review to provision the transfer family for SFTP server.

Step #3: Create an Internal User

 A server-managed user is a Transfer Family managed user that is created to enable external provider access to the target S3 bucket.

‍

• Create a SSH key, generating a public and private key to authenticate the service managed user when connecting to the Transfer Family host.

  To generate the keypairs:

Commands:  ssh-keygen

ssh-keygen 

Enter the path where the keys need to save

Generate public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): /opt/BounceX

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /opt/BounceX

Your public key has been saved in /opt/BounceX.pub

The key fingerprint is:

SHA256:bBGvsTC8AJl3FcvQtGZtfQhtweEiAYloUTabDVKTBCc 

The key’s randomart image is:

+—[RSA 2048]—-+

|  EXXoo**..ooo   |

|  =*+Ooo.B ++.   |

| . .+.= X =.+ .  |

|     . B B . .   |

|      . S        |

|       .         |

|                 |

|                 |

|                 |

+—-[SHA256]—–+

• Configure the S3 bucket to which you wish to transfer. Input the path to the Home directory where user end up when they log in using their SFTP client.
• Create a user with a previously created custom IAM Role to access an S3 bucket. Input the SSH public key data from the SSH key pair (Add id_rsa.pub), and share the private key with the user.

Step #5: External Login to the SFTP Server

1. Login to the SFTP Server using the command line interface:

sftp  -i username@endpoint

2. Login to the SFTP Server using FileZilla:

• Open FileZilla and click on the ‘Open the site manager’ button as shown in the image below.

‍

• Enter the following required details, as numbered in the next image below:
  Click on ‘New Site’
• Edit the New Site to Name
• Go to the ‘General’ tab and enter the ‘Host’ name
• Enter the ‘Port’ number
• Select the ‘Protocol’ type: ‘SFTP – SSH File Transfer Protocol’ 
• Choose ‘Key file’ in ‘Logon Type’ 
• Enter the ‘User’ name 
• And ‘Browse’ to find the ‘Key file’
• Click on the ‘Connect’ button to finish and connect the SFTP server

Now you are able to connect AWS Transfer Family for SFTP with a VPC-enabled endpoint to an external login tool such as FileZilla.

Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored for you.