Configure SFTP connectors - AWS Transfer Family

Configure SFTP connectors

This topic describes how to create SFTP connectors, the security algorithms associated with them, how to store a secret to hold credentials, details about formatting the private key, and instructions for testing your connectors.

Create an SFTP connector

This procedure explains how to create SFTP connectors by using the AWS Transfer Family console or AWS CLI.

Console
To create an SFTP connector
  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. In the left navigation pane, choose Connectors, then choose Create connector.

  3. Choose SFTP for the connector type to create an SFTP connector, and then choose Next.

    The Transfer Family console, showing the Create connector page, where you choose the connector type. SFTP is selected.
  4. In the Connector configuration section, provide the following information:

    • For the URL, enter the URL for a remote SFTP server. This URL must be formatted as sftp://partner-SFTP-server-url, for example sftp://AnyCompany.com.

      Note

      Optionally, you can provide a port number in your URL. The format is sftp://partner-SFTP-server-url:port-number. The default port number (when no port is specified) is port 22.

    • For the Access role, choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.

      • Make sure that this role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request.

      • Make sure that this role provides permission for secretsmanager:GetSecretValue to access the secret.

        Note

        In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.

        arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters
      • Make sure this role contains a trust relationship that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see To establish a trust relationship.

      The following example grants the necessary permissions to access the amzn-s3-demo-bucket in Amazon S3, and the specified secret stored in Secrets Manager.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" }, { "Sid": "GetConnectorSecretValue", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters" } ] }
      Note

      For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with aws/transfer.

      "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*"

      You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see Permissions to AWS Secrets Manager secrets for users in a different account.

    • (Optional) For the Logging role, choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.

      { "Version": "2012-10-17", "Statement": [{ "Sid": "SFTPConnectorPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/transfer/*" ] }] }
  5. In the SFTP Configuration section, provide the following information:

    • For Connector credentials, from the dropdown list, choose the name of a secret in AWS Secrets Manager that contains the SFTP user's private key or password. You must create a secret and store it in a specific manner. For details, see Store a secret for use with an SFTP connector.

    • For Trusted host keys, paste in the public portion of the host key that is used to identify the external server. You can add more than one key, by choosing Add trusted host key to add an additional key. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key. For details about the format and type of trusted host keys that Transfer Family supports, see SFTPConnectorConfig.

  6. In the Cryptographic algorithm options section, choose a Security policy from the dropdown list in the Security Policy field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see Security policies for AWS Transfer Family SFTP connectors.

  7. (Optional) In the Tags section, for Key and Value, enter one or more tags as key-value pairs.

  8. After you have confirmed all of your settings, choose Create connector to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a Test connection button. Use the button to test the configuration for your new connector.

    The connector creation screen that appears when an SFTP connector has been successfully created. It contains a button for testing the connection and a list of the service-managed static IP addresses of this connector.

The Connectors page appears, with the ID of your new SFTP connector added to the list. To view the details for your connectors, see View SFTP connector details.

CLI

You use the create-connector command to create a connector. To use this command to create an SFTP connector, you must provide the following information.

  • The URL for a remote SFTP server. This URL must be formatted as sftp://partner-SFTP-server-url, for example sftp://AnyCompany.com.

  • The access role. Choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.

    • Make sure that this role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request.

    • Make sure that this role provides permission for secretsmanager:GetSecretValue to access the secret.

      Note

      In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.

      arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters
    • Make sure this role contains a trust relationship that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see To establish a trust relationship.

    The following example grants the necessary permissions to access the amzn-s3-demo-bucket in Amazon S3, and the specified secret stored in Secrets Manager.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" }, { "Sid": "GetConnectorSecretValue", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters" } ] }
    Note

    For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with aws/transfer.

    "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*"

    You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see Permissions to AWS Secrets Manager secrets for users in a different account.

  • (Optional) Choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.

    { "Version": "2012-10-17", "Statement": [{ "Sid": "SFTPConnectorPermissions", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/transfer/*" ] }] }
  • Provide the following SFTP configuration information.

    • The ARN of a secret in AWS Secrets Manager that contains the SFTP user's private key or password.

    • The public portion of the host key that is used to identify the external server. You can provide multiple trusted host keys if you like.

    The easiest way to provide the SFTP information is to save it to a file. For example, copy the following example text to a file named testSFTPConfig.json.

    // Listing for testSFTPConfig.json { "UserSecretId": "arn:aws::secretsmanager:us-east-2:123456789012:secret:aws/transfer/example-username-key", "TrustedHostKeys": [ "sftp.example.com ssh-rsa AAAAbbbb...EEEE=" ] }
  • Specify a security policy for your connector, entering the security policy name.

Note

The SecretId can be either the entire ARN or the name of the secret (example-username-key in the previous listing).

Then run the following command to create the connector.

aws transfer create-connector --url "sftp://partner-SFTP-server-url" \ --access-role your-IAM-role-for-bucket-access \ --logging-role arn:aws:iam::your-account-id:role/service-role/AWSTransferLoggingAccess \ --sftp-config file:///path/to/testSFTPConfig.json --security-policy-name security-policy-name