Create an IAM role and policy - AWS Transfer Family

Create an IAM role and policy

When you create a user, you make a number of decisions about user access. These decisions include which Amazon S3 buckets or Amazon EFS file systems that the user can access, what portions of each Amazon S3 bucket and which files in the file system are accessible, and what permissions the user has (for example, PUT or GET).

To set access, you create an identity-based AWS Identity and Access Management (IAM) policy and role that provide that access information. As part of this process, you provide access for your user to the Amazon S3 bucket or Amazon EFS file system that is the target or source for file operations. To do this, take the following high-level steps, described in detail later:

  1. Create an IAM policy for AWS Transfer Family.

  2. Create an IAM role and attach the new IAM policy. See the following example policies:

  3. Establish a trust relationship between AWS Transfer Family and the IAM role.

Following, you can find more details about how to do this process.

To create an IAM policy for AWS Transfer Family

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  3. Choose Transfer from the list of services, and then choose Next: Permissions.

  4. In the Attach permissions policies section, choose Create Policy.

  5. On the Create Policy page, choose the JSON tab.

  6. In the editor that appears, replace the contents of the editor with the IAM policy that you want attach to the IAM role.

    You can grant read/write access or restrict users to their home directory. For more information, see the following examples:

  7. Choose Review policy and provide a name and description for your policy, and then choose Create policy.

Next, you create an IAM role and attach the new IAM policy to it.

To create an IAM role for AWS Transfer Family

  1. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  2. Choose Transfer from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer Family and AWS.

  3. In the Attach permissions policies section, locate and choose the policy that you just created, and choose Next: Tags.

  4. (Optional) Enter a key and value for a tag, and choose Next: Review.

  5. On the Review page, enter a name and description for your new role, and then choose Create role.

Next, you establish a trust relationship between AWS Transfer Family and AWS.

To establish a trust relationship

  1. In the IAM console, choose the role that you just created.

  2. On the Summary page, choose Trust relationships, and then choose Edit trust relationship.

  3. In the Edit Trust Relationship editor, make sure service is "transfer.amazonaws.com". The access policy is shown following.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  4. Choose Update Trust Policy to update the access policy.

You have now created an IAM role that allows AWS Transfer Family to call AWS services on your behalf. You attached to the role the IAM policy that you created to give access to your user. In the Tutorial: Getting started with AWS Transfer Family section, this role and policy are assigned to your user or users.

Optionally, you can create a scope-down policy that limits users' access to their home directories only, as described earlier in this topic. For more information on scope-down policies, see Example scope-down policy.

For more general information about IAM roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

To learn more about identity-based policies for Amazon S3 resources, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service Developer Guide.