Tutorial: Getting started with AWS Transfer Family - AWS Transfer Family

Tutorial: Getting started with AWS Transfer Family

Use this tutorial to get started with AWS Transfer Family (Transfer Family). You'll learn how to create an SFTP-enabled server with publicly accessible endpoint using Amazon S3 storage, add a user with service-managed authentication, and transfer a file with Cyberduck.

Contents

Prerequisites

Before you begin, be sure to complete the requirements in Setting up. As part of this setup, you create an Amazon Simple Storage Service (Amazon S3) bucket and an AWS Identity and Access Management (IAM) user role.

Step 1: Sign in to the AWS Transfer Family console

To sign in to Transfer Family

  1. Sign in to the AWS Management Console and open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. For Account ID or alias, enter your account ID or alias.

  3. For IAM user name, enter the name of the user role that you created for Transfer Family.

  4. For Password, enter your AWS account password.

  5. Choose Sign in.

Step 2: Create an SFTP-enabled server

Secure Shell (SSH) File Transfer Protocol (SFTP) is a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH. It is widely used to exchange data, including sensitive information between business partners in a variety of industries such as financial services, healthcare, retail, and advertising.

To create an SFTP-enabled server

  1. Choose Create server.

  2. In Choose protocols, select SFTP, and then choose Next.

  3. In Choose an identity provider, choose Service managed to store user identities and keys in Transfer Family, and then choose Next.

  4. In Choose an endpoint, do the following:

    1. For Endpoint type, choose the Publicly accessible endpoint type.

    2. For Custom hostname, choose None.

    3. Choose Next.

  5. In Choose a domain, choose Amazon S3.

  6. In Configure additional details, do the following:

    1. For CloudWatch logging, choose Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server. The default security policy is TransferSecurityPolicy-2020-06.

    3. Choose Next.

  7. In Review and create, choose Create server. You are taken to the Servers page.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations, but you'll need to create a user first.

Step 3: Add a service managed user

To add a user to the SFTP-enabled server

  1. On the Servers page, select the check box of the server that you want to add a user to.

  2. Choose Add user.

  3. In the User configuration section, for Username, enter the user name. This user name must be a minimum of 3 and a maximum of 100 characters. You can use the following characters in the user name: a–z, A-Z, 0–9, underscore '_', hyphen '-', period '.', and at sign "@". The user name can't start with a hyphen, period, or at sign.

  4. For Access, choose the IAM role that you previously created that provides access to your Amazon S3 bucket.

    You created this IAM role using the procedure in Create an IAM role and policy. That IAM role includes an IAM policy that provides access to your Amazon S3 bucket. It also includes a trust relationship with the AWS Transfer Family service, defined in another IAM policy.

  5. For Policy, choose None.

  6. For Home directory, choose the Amazon S3 bucket to store the data to transfer using AWS Transfer Family. Enter the path to the home directory where your user lands when they log in using their client.

    If you leave this parameter blank, the root directory of your Amazon S3 bucket is used. In this case, make sure that your IAM role provides access to this root directory.

    Note

    We recommend that you choose a directory path that contains the user name of the user, which enables you to effectively use a scope-down policy. The scope-down policy limits user access in the Amazon S3 bucket to that user's home directory.

  7. For Restricted, select the check box so that your users can't access anything outside of that folder and can't see the Amazon S3 bucket or folder name.

    Note

    When assigning the user a home directory and restricting the user to that home directory, this should be sufficient enough to lock down the user's access to the designated folder. Use a scope-down policy when you need to apply further controls.

  8. For SSH public key, enter the public SSH key portion of the SSH key pair.

    Your key is validated by the service before you can add your new user.

    Important

    The format of the SSH public key is ssh-rsa <string>. For instructions on how to generate an SSH key pair, see Generate SSH keys.

  9. (Optional) For Key and Value, enter one or more tags as key-value pairs, and choose Add tag.

  10. Choose Add to add your new user to the server that you chose.

    The new user appears in the Users section of the Server details page.

Step 4: Transfer a file using a client

You transfer files over the AWS Transfer Family service by specifying the transfer operation in a client. AWS Transfer Family supports several clients. For details, see Transferring files using a client

This section contains procedures for using Cyberduck and OpenSSH.

Use Cyberduck

To transfer files over AWS Transfer Family using Cyberduck

  1. Open the Cyberduck client.

  2. Choose Open Connection.

  3. In the Open Connection dialog box, choose SFTP (SSH File Transfer Protocol).

  4. For Server, enter your server endpoint. The server endpoint is located on the Server details page, see View server details.

  5. For Port number, enter 22 for SFTP.

  6. For Username, enter the name for the user that you created in Creating users.

  7. For SSH Private Key, choose or enter the SSH private key.

  8. Choose Connect.

  9. Perform your file transfer.

    Depending on where your files are, do one of the following:

    • In your local directory (the source), choose the files that you want to transfer, and drag and drop them into the Amazon S3 directory (the target).

    • In the Amazon S3 directory (the source), choose the files that you want to transfer, and drag and drop them into your local directory (the target).

Use OpenSSH

Use the instructions that follow to transfer files from the command line using OpenSSH.

Note

This client works only with an SFTP-enabled server.

To transfer files over AWS Transfer Family using the OpenSSH command line utility

  1. On Linux or Macintosh, open a command terminal.

  2. At the prompt, enter the following command: % sftp -i transfer-key sftp_user@service_endpoint

    In the preceding command, sftp_user is the user name and transfer-key is the SSH private key. Here, service_endpoint is the server's endpoint as shown in the AWS Transfer Family console for the selected server.

    An sftp prompt should appear.

  3. (Optional) To view the user's home directory, enter the following command at the sftp prompt: sftp> pwd

  4. On the next line, enter the following text: sftp> cd /mybucket/home/sftp_user

    In this getting-started exercise, this Amazon S3 bucket is the target of the file transfer.

  5. On the next line, enter the following command: sftp> put filename.txt

    The put command transfers the file into the Amazon S3 bucket.

    A message like the following appears, indicating that the file transfer is in progress, or complete.

    Uploading filename.txt to /my-bucket/home/sftp_user/filename.txt

    some-file.txt 100% 127 0.1KB/s 00:00