Add a user - AWS Transfer Family

Add a user

If you use a service-managed identity type, you add users to your file transfer protocol enabled server. When you do so, each user name must be unique on your server.

As part of each user's properties, you also store that user's Secure Shell (SSH) public key. Doing so is required for key based authentication, which this getting-started exercise uses. The private key is stored locally on your user's computer. When your user sends an authentication request to your server by using a client, your server first confirms that the user has access to the associated SSH private key. The server then successfully authenticates the user.

In addition, you specify a user's home directory, or landing directory, and assign an AWS Identity and Access Management (IAM) role to the user. Optionally, you can provide a scope-down policy to limit user access only to the home directory of your Amazon S3 bucket.

To add a user to a server

  1. On the Servers page, select the check box of the server that you want to add a user to.

  2. Choose Add user.

  3. In the User configuration section, for Username, enter the user name. This user name must be a minimum of 3 and a maximum of 100 characters. You can use the following characters in the user name: a–z, A-Z, 0–9, underscore '_', hyphen '-', period '.', and at sign "@". The user name can't start with a hyphen, period, or at sign.

  4. For Access, choose the IAM role that you previously created that provides access to your Amazon S3 bucket.

    You created this IAM role using the procedure in Create an IAM role and policy. That IAM role includes an IAM policy that provides access to your Amazon S3 bucket. It also includes a trust relationship with the AWS Transfer Family service, defined in another IAM policy.

  5. (Optional) For Policy, choose one of the following:

    • None

    • Existing policy

    • Select a policy from IAM to choose an existing policy. Choose View to see a JSON object containing the details of the policy.

    To learn more about scope-down policy, see Create an IAM role and policy. To learn more about creating a scope-down policy, see Create a scope-down policy.

  6. For Home directory, choose the Amazon S3 bucket to store the data to transfer using AWS Transfer Family. Enter the path to the home directory where your user lands when they log in using their client.

    If you leave this parameter blank, the root directory of your Amazon S3 bucket is used. In this case, make sure that your IAM role provides access to this root directory.


    We recommend that you choose a directory path that contains the user name of the user, which enables you to effectively use a scope-down policy. The scope-down policy limits user access in the Amazon S3 bucket to that user's home directory.

  7. (Optional) For Restricted, select the check box so that your users can't access anything outside of that folder and can't see the Amazon S3 bucket or folder name.


    When assigning the user a home directory and restricting the user to that home directory, this should be sufficient enough to lock down the user's access to the designated folder. Use a scope-down policy when you need to apply further controls.

  8. For SSH public key, enter the public SSH key portion of the SSH key pair.

    Your key is validated by the service before you can add your new user.


    The format of the SSH public key is ssh-rsa <string>. For instructions on how to generate an SSH key pair, see Generate SSH keys.

  9. (Optional) For Key and Value, enter one or more tags as key-value pairs, and choose Add tag.

  10. Choose Add to add your new user to the server that you chose.

    The new user appears in the Users section of the Server details page.

Next step

Transfer files using a client