-
-
Save serverhorror/ca618fc1b6a729c4ab3f1ad734b1145b to your computer and use it in GitHub Desktop.
CloudFormation template for AWS Transfer for SFTP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: '2010-09-09' | |
| Description: some-sftp-server | |
| Parameters: | |
| HostedZoneIdParam: | |
| Type: String | |
| Description: Hosted Zone ID | |
| SFTPHostnameParam: | |
| Type: String | |
| Description: Hostname for the SFTP Server | |
| Resources: | |
| SFTPServer: | |
| Type: AWS::Transfer::Server | |
| Properties: | |
| EndpointType: PUBLIC | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-servver | |
| SFTPServerDNSRecord: | |
| Type: AWS::Route53::RecordSet | |
| Properties: | |
| Name: !Ref SFTPHostnameParam | |
| HostedZoneId: !Ref HostedZoneIdParam | |
| Type: CNAME | |
| Comment: SFTP Transfer custom hostname | |
| TTL: 300 | |
| ResourceRecords: | |
| - !Sub ${SFTPServer.ServerId}.server.transfer.${AWS::Region}.amazonaws.com | |
| SFTPServerS3Bucket: | |
| Type: AWS::S3::Bucket | |
| DeletionPolicy: Retain | |
| Properties: | |
| BucketName: some-sftp-bucket | |
| PublicAccessBlockConfiguration: | |
| BlockPublicAcls: true | |
| BlockPublicPolicy: true | |
| IgnorePublicAcls: true | |
| RestrictPublicBuckets: true | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-servver | |
| SFTPUserRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| AssumeRolePolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Principal: | |
| Service: | |
| - transfer.amazonaws.com | |
| Action: | |
| - sts:AssumeRole | |
| Path: / | |
| Policies: | |
| - PolicyName: S3FullAccess | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:ListAllMyBuckets | |
| - s3:GetBucketLocation | |
| Resource: "*" | |
| - PolicyName: AllowListingOfUserFolder | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:ListBucket | |
| Resource: !GetAtt SFTPServerS3Bucket.Arn | |
| - PolicyName: HomeDirObjectAccess | |
| PolicyDocument: | |
| Version: '2012-10-17' | |
| Statement: | |
| - Effect: Allow | |
| Action: | |
| - s3:PutObject | |
| - s3:GetObject | |
| - s3:GetObjectVersion | |
| - s3:DeleteObject | |
| - s3:DeleteObjectVersion | |
| Resource: !Sub "${SFTPServerS3Bucket.Arn}/*" | |
| TestUser: | |
| Type: AWS::Transfer::User | |
| Properties: | |
| ServerId: !GetAtt SFTPServer.ServerId | |
| UserName: john | |
| HomeDirectory: !Sub "/${SFTPServerS3Bucket}/home/john" | |
| Policy: > | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "AllowListingOfUserFolder", | |
| "Effect": "Allow", | |
| "Action": "s3:ListBucket", | |
| "Resource": "arn:aws:s3:::${transfer:HomeBucket}", | |
| "Condition": { | |
| "StringLike": { | |
| "s3:prefix": [ | |
| "home/${transfer:UserName}/*", | |
| "home/${transfer:UserName}" | |
| ] | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "HomeDirObjectAccess", | |
| "Effect": "Allow", | |
| "Action": [ | |
| "s3:PutObject", | |
| "s3:GetObject", | |
| "s3:GetObjectVersion", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion" | |
| ], | |
| "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" | |
| } | |
| ] | |
| } | |
| Role: !GetAtt SFTPUserRole.Arn | |
| SshPublicKeys: | |
| - ssh-rsa AAAAB3NzaC1********************************cMNTZKrQTDjrpvCJ83w== [email protected] | |
| Tags: | |
| - Key: Application | |
| Value: some-sftp-server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment