AWS Transfer for SFTP
User Guide

Encrypting Your Data

AWS Transfer for SFTP uses the default encryption options you set for your Amazon S3 bucket to encrypt your data. When you enable encryption on a bucket, all objects are encrypted when they are stored in the bucket. The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS). For information about server-side encryption, see Protecting Data Using Server-Side Encryption in the Amazon Simple Storage Service Developer Guide.

The following steps show you how to encrypt data in AWS Transfer for SFTP.

To allow encryption in AWS SFTP

  1. Enable default encryption for your Amazon S3 bucket. For instructions, see How Do I Enable Default Encryption for an S3 Bucket? in the Amazon Simple Storage Service Developer Guide.

  2. Update the Identity and Access Management (IAM) role policy that is attached to the SFTP user to grant the required Key Management Service (KMS) permissions.

  3. If you are using scope-down policy for the user, the scope-down policy must grant the required KMS permissions.

The following example shows an IAM policy that grants the minimum permissions required when using AWS Transfer for SFTP with an Amazon S3 bucket that is enabled for KMS encryption. Include this example policy in both the user IAM role policy and scope-down policy if you are using one.

{ "Sid": "Stmt1544140969635", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:region:account-id:key/kms-key-id" }


The KMS key id you specify in this policy must be the same as the one specified for the default encryption in step 1.

Root must be allowed in the KMS Key policy. If root is not allowed in the KMS key policy, you can add the IAM Role that is used for the SFTP user directly to the KMS key Policy. For information about KMS key policy, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.