Setup SFTP on AWS with Username and Password in 15 minutes

In this blog, we will show you how to setup SFTP on AWS with Username and Password. Earlier this year, AWS added support for enabling password based authentication for AWS Transfer for SFTP using AWS Secrets Manager. AWS Transfer for SFTP is a fully managed service by AWS and helps you migrate your file transfer workflows to AWS. AWS Transfer for SFTP is built on top of S3 and can be a powerful tool if you are looking for a reliable, scalable and durable solution.

Setting up an SFTP server can be a complex task. For this blog, our main focus will be to cover key items that should help you setup SFTP on AWS with Username and Password in less than 15 minutes. If you are interested in the overall design, architecture, or technologies involved, we highly recommend to check out this AWS blog.

Problem Statement

Company ZYX wants to setup an SFTP server for it’s Marketing and Development teams in AWS as shown below:

/content -> Top level S3 bucket.

/content/marketing -> Marketing folder resides within Content. Only Marketing team should have access to it.

/content/development/team1  -> Team1 should have access to just it’s folder and should not have access to any other folders.

/content/development/team2  -> Team2 should have access to just it’s folder and should not have access to any other folders.

Pre-requisite

Create a new bucket in S3 with the name -> ‘content

Create corresponding folders within the content bucket:

/content/marketing

/content/development/team1

/content/development/team2

Setup SFTP on AWS with Username and Password 

Start the timer 🙂

Step-1: Download the CloudFormation template ( aws-transfer-custom-idp-secrets-manager-apig ) provided by AWS and create the stack. This should create the SFTP server, API Gateway, AWS Lambda functions and required IAM roles.

Step-2:  Go to AWS Transfer for SFTP  section and you will see the server being provisioned. Optionally, you can associate a CNAME DNS entry in Route53 for SFTP server. Stop the timer and wait for provisioning to complete. After provisioning is complete, server will come online. Restart the timer again.

sftp-aws-username-password

Step-3: Go to IAM section and create a new policy named CustomSFTPReadWritePolicy with the following content:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::content"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::content/*"
}
]
}

You can also download the file content from github

Step-4:  Next click IAM -> Roles -> Create Role and select Transfer.  Click Permissions and select the policy created in step-3 i.e. CustomSFTPReadWritePolicy.  Follow prompts and create a new role named CustomSFTPTransferRole.

Step-5: Select CustomSFTPTransferRole role created in Step-4 and click ‘Trust Relationships‘ tab. Click Edit trust relationship and enter the following content:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“Service”: “transfer.amazonaws.com”
},
“Action”: “sts:AssumeRole”
}
]
}

Note down the ARN for this role as you will need it later to create users. To read more on assume role, please check this link

Step-6: To create users, you will need to create a new Secret. Go to AWS Secrets Manager and click ‘Store a new secret‘. Select ‘Other type of secrets‘ option and create the following key/value pairs (please update values as needed):

Key Password

Value changeIt

 

Key Role

Value arn:aws:iam::xxxxxxxxxxxx:role/CustomSFTPTransferRole

Role Explanation: Use one of the Role ARNs you created for AWS SFTP users earlier in Step-4. This will define what access the user has to S3

 

Key HomeDirectory

Value – /content/marketing

Explanation: The path to the users home directory

 

Key – Policy

Value – 

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:HomeFolder}/*",
"${transfer:HomeFolder}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}

Click Next and enter the username as ‘SFTP/marketing’ (prefix SFTP is Important).

Step-7: You can create two more secrets for ‘team1’ and ‘team2’ as you did in Step-6 for ‘Marketing’. The key thing (apart from Password) to change is HomeDirectory. For example, for team1, you will use the following:

Key HomeDirectory

Value – /content/development/team1

You can always edit any of the secret values by selecting the secret and clicking on ‘Retrieve Secret Value -> Edit‘.

Step-7: Done.  Stop and check timer. Hopefully, you were able to get it working and setup SFTP on AWS with username and password within 15 minutes 🙂

Testing

Launch your favourite FTP client and try connecting with SFTP credentials. Here’s a screenshot with Cyberduck on Mac for reference:

SFTP on AWS with Username and Password
SFTP on AWS with Username and Password

If everything went well, you should be able to connect using the SFTP user and have access to user’s home directory.

CLI users can also run this command to trouble-shoot issues:

aws transfer test-identity-provider –server-id “s-eXXXXXXXa9” –user-name marketing –user-password changeIt –region us-east-2

Hope this will save some precious time and help you setup an SFTP on AWS with Username and Password. If you liked the blog, please comment below and let us know. Also, checkout more DevOps and Cloud blogs on our site here