AWS Transfer for SFTP
User Guide

IAM Policies and a Roles Requirements

When you create your SFTP user, you can determine which Amazon S3 buckets they can access, what portions of that bucket is accessible, and what privileges those users have (e.g. PUT or GET). To do this you create an IAM policy and a role that provides this access information using a resource-based policy.

See Managing Access Permissions to Your Amazon S3 Resources to learn more about resource-based policies.

To provide access for an SFTP user to the Amazon S3 bucket that is the target or source for file operations:

  1. You create an IAM role, and when doing so establish a trust relationship with the service.

    Note

    AWS Transfer for SFTP is not listed in the IAM services so you will choose Storage Gateway as a work-around to create a role. In that role edit the trust relationship to replace storagegateway with transfer as the Service Principal.

  2. Within the Role, you create a new policy. Sample policy that enables access to bucket you want to use for SFTP provided below

  3. You attach the above policy to the role.

  4. Optionally, you can create a scope-down policy. Sample scope down policy for locking down your users access to their home directory provided here.

To create an IAM Policy

  1. Open https://console.aws.amazon.com/iam/.

  2. From the left hand navigation panel choose Roles.

    On the Create role page make sure that AWS service is selected.

    Note

    AWS Transfer for SFTP is not listed in the IAM services so you will choose Storage Gateway as a work-around to create a role. In that role edit the trust relationship to replace storagegateway with transfer as the Service Principal.

  3. In the list, choose Storage Gateway and choose Next: Permissions.

  4. On the Attach permissions policies page, choose Create Policy.

  5. On the Create Policy page, choose the JSON tab.

  6. In the editor that opens, replace the contents of the editor with the policy you want attach to the role.

    You can provide a basic policy that provides AWS SFTP user access to your S3 bucket.

    The following example policy grants read-write access to objects your S3 bucket. Copy and paste this policy into the editor and save the policy to use in the later steps when you add an SFTP user to your server.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket_name" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::bucket_name/*" } ] }

    The example policy is a scoped-down policy that limits users' access to their home directories only. If you want to provide this type of access to an SFTP user, copy this policy and paste it in the editor.

    Note

    For the scope-down policy to lock SFTP users to their home directory, you will need to make sure the path you assign for their home directory contains the username. For e.g. if username="bob", then the home directory needs to contain “bob”.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "Optional_path/${transfer:UserName}/*", "Optional_path/${transfer:UserName}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] }
  7. Choose Review policy and provide a name and description for your policy and then choose Create policy.

You now create a role and attach the policy to it.

To create an Role

  1. From the left hand navigation panel choose Roles.

    On the Create role page make sure that AWS service is selected.

  2. Choose Create role.

  3. In the list, choose Storage Gateway and choose Next: permissions. This allows you to create a role.

    Note

    AWS SFTP is not listed in the services so you will choose Storage Gateway as a work-around. This allows you to create a role. In the role edit the trust relationship to replace storagegateway with transfer as the Service Principal.

  4. On the Attach permissions policies page locate and choose the policy you just created and choose Next: Tags.

  5. (Optional) Enter a key and value for tag, and choose Next: Review.

  6. On the Review page, enter a name and description for the role and then choose Create role.

You now establish a trust relationship between AWS Transfer and AWS.

To establish a trust relationship

  1. Choose the role you just created.

  2. On the Summary page, chose Trust relationships and choose Edit trust relationship.

  3. In the Edit Trust Relationship editor replace storagegateway in the access policy with transfer. The edited access policy is shown below.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

In the Getting Started section this role is assigned to your SFTP user(s). You have created a role that allows SFTP to call AWS services on your behalf and attached the policy you created to give access to your SFTP user. For more information about roles, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide .

Optionally, you can create a scoped-down policy that limits users' access to their home directories only. If you want to provide this type of access to an SFTP user, copy this policy and paste it in the editor. Refer to the section Creating a Scope-Down Policy to learn more.