Software Engineering :: Cloud :: AWS :: AWS Transfer for SFTP

readme.md

Software Engineering :: Cloud :: AWS :: AWS Transfer for SFTP

⪼ Made with 💜 by Polyglot.

• ..

related

• Software Engineering :: Security :: Cryptography :: Protocol :: SSH

AWS Transfer for SFTP

Test Connection

> sftp -i ~/.ssh/aws-transfer-for-sftp.pub demo@$SERVER_HOSTNAME

Connected to demo@$SERVER_HOSTNAME.
sftp>
sftp> pwd
Remote working directory: /${HOME}/demo

User & User Key Management

List Users

> aws transfer list-users \
    --region $AWS_DEFAULT_REGION \
    --server-id $SERVER_ID

response

{
    "ServerId": "${SERVER_ID}",
    "Users": [
        {
            "Arn": "arn:aws:transfer:us-east-1:${AWS_ACCOUNT_ID}:user/${SERVER_ID}/demo",
            "HomeDirectory": "/${HOME}/demo",
            "Role": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${SFTP_USER_ROLE}",
            "SshPublicKeyCount": 1,
            "UserName": "demo"
        }
    ]
}

Create User

> aws transfer create-user \
  --user-name jmckay \
  --home-directory "/$BUCKET_NAME/$USER_NAME" \
  --role 'arn:aws:iam::755203376857:role/SftpS3MapquestDaasSyndication' \
  --policy 'arn:aws:iam::755203376857:policy/TransferSftpS3ScopeDownChroot' \
  --server-id $SERVER_ID \
  --tags Key=email,Value=$USER_EMAIL \
  --ssh-public-key-body file://$HOME/.ssh/key.pub

List all user's UserName

> aws transfer list-users \
    --region $AWS_DEFAULT_REGION \
    --server-id $SERVER_ID \
    --query 'Users[].UserName'

response

[
    "demo"
]

List Public Key Count for all Users

> aws transfer list-users \
    --region $AWS_DEFAULT_REGION \
    --server-id $SERVER_ID \
    --query 'Users[].{SshPublicKeyCount:SshPublicKeyCount,UserName:UserName}'

response

[
    {
        "SshPublicKeyCount": 1,
        "UserName": "demo"
    }
]

Delete User SSH Public Key

> aws transfer delete-ssh-public-key \
    --region $AWS_DEFAULT_REGION \
    --server-id $SERVER_ID \
    --user-name demo \
    --ssh-public-key-id $PUBLIC_KEY_ID

Import User SSH Public Key

> aws transfer import-ssh-public-key \
    --region $AWS_DEFAULT_REGION \
    --server-id $SERVER_ID \
    --user-name $USER_NAME \
  --ssh-public-key-body file://~/.ssh/key.pub

{
    "ServerId": "${SERVER_ID}",
    "SshPublicKeyId": "${PUBLIC_KEY_ID}",
    "UserName": "demo"
}

List User SSH Public Key

> aws transfer describe-user \
  --region $AWS_DEFAULT_REGION
  --server-id $SERVER_ID \
  --user-name $USER_NAME \
  --query 'User.SshPublicKeys'

Server Management

List Servers

> aws transfer list-servers \
    --region $AWS_DEFAULT_REGION

response

{
    "Servers": [
        {
            "Arn": "arn:aws:transfer:us-east-1:755203376857:server/s-2944871d6ecd437f8",
            "IdentityProviderType": "SERVICE_MANAGED",
            "EndpointType": "PUBLIC",
            "LoggingRole": "arn:aws:iam::755203376857:role/SftpCloudwatchLogging",
            "ServerId": "s-2944871d6ecd437f8",
            "State": "ONLINE",
            "UserCount": 2
        },
        {
            "Arn": "arn:aws:transfer:us-east-1:755203376857:server/s-9d1034decb8241559",
            "IdentityProviderType": "SERVICE_MANAGED",
            "EndpointType": "PUBLIC",
            "LoggingRole": "arn:aws:iam::755203376857:role/SftpCloudwatchLogging",
            "ServerId": "s-9d1034decb8241559",
            "State": "ONLINE",
            "UserCount": 5
        }
    ]
}

List Server IDs

> aws transfer list-servers \
    --region $AWS_DEFAULT_REGION \
    --query 'Servers[].ServerId'

response

[
    "s-2944871d6ecd437f8",
    "s-9d1034decb8241559"
]

Describe Server

> aws transfer describe-server \
    --region $AWS_DEFAULT_REGION \
    --server-id ${SERVER_ID}

response

{
    "Server": {
        "Arn": "arn:aws:transfer:${AWS_DEFAULT_REGION}:${AWS_ACCOUNT_ID}:server/${SERVER_ID}",
        "EndpointType": "PUBLIC",
        "HostKeyFingerprint": "SHA256:${SHA256}",
        "IdentityProviderType": "SERVICE_MANAGED",
        "LoggingRole": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/${LOGGING_ROLE_NAME}",
        "ServerId": "${SERVER_ID}",
        "State": "ONLINE",
        "Tags": [
            {
                "Key": "aws:transfer:route53HostedZoneId",
                "Value": "/hostedzone/${ZONE_ID}"
            },
            {
                "Key": "aws:transfer:customHostname",
                "Value": "${SERVER_HOSTNAME}"
            }
        ],
        "UserCount": 1
    }
}

CloudFormation Templates

sftp_public.template

AWSTemplateFormatVersion: 2010-09-09
Description: AWS Transfer for SFTP Template

Resources:
  AWSTransferServer:
    Type: AWS::Transfer::Server
    Properties:
      EndpointType: PUBLIC
      IdentityProviderType: SERVICE_MANAGED
      LoggingRole: !Sub '${CloudWatchRole.Arn}'
 
  CloudWatchRole:
    Type: 'AWS::IAM::Role'
    Description: CloudWatch log group permissions for AWS Transfer for SFTP Servers.
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - transfer.${AWS::URLSuffix}
            Action:
              - 'sts:AssumeRole'
      Path: /
  CloudWatchPolicy:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: CloudWatchPolicy
      Roles:
        - !Ref CloudWatchRole
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'logs:CreateLogStream'
              - 'logs:CreateLogGroup'
              - 'logs:PutLogEvents'
            Resource: 'arn:aws:logs:*:*:log-group:/aws/transfer/*'

Outputs:
  Endpoint:
    Description: SFTP Server Endpoint
    Value: !Sub '${AWSTransferServer.ServerId}.server.transfer.${AWS::Region}.${AWS::URLSuffix}'
    Export:
      Name: !Sub '${AWS::StackName}Endpoint'
  ServerID:
    Description: SFTP Server ID
    Value: !Sub '${AWSTransferServer.ServerId}'
    Export:
      Name: !Sub '${AWS::StackName}ServerID'

---