AWS Transfer for SFTP
User Guide

Add a User

If you use a service-managed identity type, you add users to your SFTP server. When you do so, each user name must be unique on your server.

As part of each user's properties, you also store that user's Secure Shell (SSH) public key. Doing so is required for key based authentication, which this getting-started exercise uses. The private key will be stored local on your user’s computer. When your user sends an authentication request to your SFTP server by using an SFTP client, your server confirms that the user has access to the associated SSH private key before the server successfully authenticates the user.

In addition, you specify a user's home directory, or landing directory, and assign an IAM role to the user. Optionally, you can provide a scope-down policy to limit user access only to the home directory of your S3 bucket.

To add a user to an SFTP server

  1. On the Servers page, choose the check box next to the SFTP server that you want to add a user to.

  2. Choose Add user to open the Add user screen.

  3. For Username, enter the user name. This user name must be a minimum of 3 and a maximum of 32 characters. You can use the following characters in the user name: a-z, A-Z, 0-9, underscore, and hyphen. The user name can't start with a hyphen.

  4. For Roles, choose the IAM role that you previously created that provides access to your Amazon S3 bucket.

    You created this IAM role using the procedure in Create IAM Policies and Roles for SFTP. That IAM role includes an IAM policy that provides access to your Amazon S3 bucket. It also includes a trust relationship with the AWS SFTP service, defined in another IAM policy.

  5. (Optional) Add a scope-down policy as described in Create IAM Policies and Roles for SFTP. To learn more about scope-down policies, see Creating a Scope-Down Policy.

  6. For Home Directory, choose the S3 bucket to store the data to transfer using AWS SFTP. Enter the path to the home directory where your user lands when they log in using their SFTP client.

    If you leave this parameter blank, the root directory of your Amazon S3 bucket is used. In this case, make sure that your IAM role provides access to this root directory.


    We recommend that you choose a directory path that contains the user name of the user, which enables you to effectively use a scope-down policy. The scope-down policy limits user access in the S3 bucket to that user's home directory.

  7. For SSH public key, enter the SSH public key portion of the SSH key pair.

    Your key is validated by the service before you can add your new user. The format of the SSH key is ssh-rsa <string>. For instructions on how to generate an SSH key pair, see Generating SSH Keys.

  8. (Optional) For Key and Value, enter one or more tags as key-value pairs.

  9. Choose Add to add your new user to the server that you chose.

    The new user appears in the Users section of the Servers page, as shown following.

Next Step

Transfer Files Using AWS SFTP