Configure SFTP connectors
This topic describes how to create SFTP connectors, the security algorithms associated with them, how to store a secret to hold credentials, details about formatting the private key, and instructions for testing your connectors.
Topics
Create an SFTP connector
This procedure explains how to create SFTP connectors by using the AWS Transfer Family console or AWS CLI.
- Console
-
To create an SFTP connector
-
Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/
. -
In the left navigation pane, choose Connectors, then choose Create connector.
-
Choose SFTP for the connector type to create an SFTP connector, and then choose Next.
-
In the Connector configuration section, provide the following information:
-
For the URL, enter the URL for a remote SFTP server. This URL must be formatted as
sftp://
, for examplepartner-SFTP-server-url
sftp://AnyCompany.com
.Note
Optionally, you can provide a port number in your URL. The format is
sftp://
. The default port number (when no port is specified) is port 22.partner-SFTP-server-url
:port-number
-
For the Access role, choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.
-
Make sure that this role provides read and write access to the parent directory of the file location that's used in the
StartFileTransfer
request. -
Make sure that this role provides permission for
secretsmanager:GetSecretValue
to access the secret.Note
In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.
arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/SecretName-6RandomCharacters
-
Make sure this role contains a trust relationship that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see To establish a trust relationship.
The following example grants the necessary permissions to access the
amzn-s3-demo-bucket
in Amazon S3, and the specified secret stored in Secrets Manager.{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" }, { "Sid": "GetConnectorSecretValue", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/SecretName-6RandomCharacters
" } ] }Note
For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with
aws/transfer
."Resource": "arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/*"You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see Permissions to AWS Secrets Manager secrets for users in a different account.
-
-
(Optional) For the Logging role, choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "SFTPConnectorPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/transfer/*" ] }] }
-
-
In the SFTP Configuration section, provide the following information:
-
For Connector credentials, from the dropdown list, choose the name of a secret in AWS Secrets Manager that contains the SFTP user's private key or password. You must create a secret and store it in a specific manner. For details, see Store a secret for use with an SFTP connector.
-
For Trusted host keys, paste in the public portion of the host key that is used to identify the external server. You can add more than one key, by choosing Add trusted host key to add an additional key. You can use the
ssh-keyscan
command against the SFTP server to retrieve the necessary key. For details about the format and type of trusted host keys that Transfer Family supports, see SFTPConnectorConfig.
-
-
In the Cryptographic algorithm options section, choose a Security policy from the dropdown list in the Security Policy field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see Security policies for AWS Transfer Family SFTP connectors.
-
(Optional) In the Tags section, for Key and Value, enter one or more tags as key-value pairs.
-
After you have confirmed all of your settings, choose Create connector to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a Test connection button. Use the button to test the configuration for your new connector.
The Connectors page appears, with the ID of your new SFTP connector added to the list. To view the details for your connectors, see View SFTP connector details.
-
- CLI
-
You use the create-connector command to create a connector. To use this command to create an SFTP connector, you must provide the following information.
-
The URL for a remote SFTP server. This URL must be formatted as
sftp://
, for examplepartner-SFTP-server-url
sftp://AnyCompany.com
. -
The access role. Choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.
-
Make sure that this role provides read and write access to the parent directory of the file location that's used in the
StartFileTransfer
request. -
Make sure that this role provides permission for
secretsmanager:GetSecretValue
to access the secret.Note
In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.
arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/SecretName-6RandomCharacters
-
Make sure this role contains a trust relationship that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see To establish a trust relationship.
The following example grants the necessary permissions to access the
amzn-s3-demo-bucket
in Amazon S3, and the specified secret stored in Secrets Manager.{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" }, { "Sid": "GetConnectorSecretValue", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/SecretName-6RandomCharacters
" } ] }Note
For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with
aws/transfer
."Resource": "arn:aws:secretsmanager:
region
:account-id
:secret:aws/transfer/*"You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see Permissions to AWS Secrets Manager secrets for users in a different account.
-
-
(Optional) Choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "SFTPConnectorPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/transfer/*" ] }] }
-
Provide the following SFTP configuration information.
-
The ARN of a secret in AWS Secrets Manager that contains the SFTP user's private key or password.
-
The public portion of the host key that is used to identify the external server. You can provide multiple trusted host keys if you like.
The easiest way to provide the SFTP information is to save it to a file. For example, copy the following example text to a file named
testSFTPConfig.json
.// Listing for testSFTPConfig.json { "UserSecretId": "arn:aws::secretsmanager:
us-east-2
:123456789012
:secret:aws/transfer/example-username-key
", "TrustedHostKeys": [ "sftp.example.com ssh-rsa AAAAbbbb...EEEE=
" ] } -
-
Specify a security policy for your connector, entering the security policy name.
Note
The
SecretId
can be either the entire ARN or the name of the secret (example-username-key
in the previous listing).Then run the following command to create the connector.
aws transfer create-connector --url "sftp://
partner-SFTP-server-url
" \ --access-roleyour-IAM-role-for-bucket-access
\ --logging-role arn:aws:iam::your-account-id
:role/service-role/AWSTransferLoggingAccess \ --sftp-config file:///path/to
/testSFTPConfig.json --security-policy-namesecurity-policy-name
-