AWS Transfer for SFTP
User Guide

Encrypting Your Data

AWS Transfer for SFTP uses the default encryption options you set for your Amazon S3 bucket to encrypt your data. When you enable default encryption on a bucket, all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). For information about server-side encryption, see Protecting Data Using Server-Side Encryption in the Amazon Simple Storage Service Developer Guide.

The following steps show you how to encrypt data in AWS Transfer for SFTP.

To allow encryption in AWS SFTP

  1. Enable default encryption for your Amazon S3 bucket. For instructions, see How Do I Enable Default Encryption for an S3 Bucket? in the Amazon Simple Storage Service Developer Guide.

  2. Update the Identity and Access Management (IAM) role policy that is used for SFTP user to grant the required Key Management Service (KMS) permissions.

  3. If you have a scope-down policy, update IAM policy that is used for SFTP user to grant the required KMS permissions.

The following example shows an IAM policy that grants the minimum permissions required for AWS Transfer for SFTP to use KMS encryption.

{ "Sid": "Stmt1544140969635", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:region:account-id:key/kms-key-id" }

Note

The KMS key id you specify in this policy must be the same as the one specified for the default encryption in step 1.

Root must be allowed in the KMS Key policy. For information about KMS Key policy, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.