Create an IAM role and policy - AWS Transfer Family

Create an IAM role and policy

When you create a user, you make a number of decisions about user access. These include which Amazon S3 buckets the user can access, what portions of each Amazon S3 bucket are accessible, and what permissions the user has (for example, PUT or GET).

To set access, you create a resource-based IAM policy and an IAM role that provides that access information.

As part of this, you provide access for your user to the Amazon S3 bucket that is the target or source for file operations. To do this, take the following high-level steps, described in detail later:

  1. Create an IAM policy for AWS Transfer Family.

  2. Create an IAM role and attach the new IAM policy.

    For an example of a read/write access policy, see Example read/write access policy. For an example of a scope-down policy, see Example scope-down policy.

  3. Establish a trust relationship between AWS Transfer Family and AWS.

Following, you can find more details about how to do this process.

To create an IAM policy for AWS Transfer Family

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  3. Choose Transfer Family from the list of services, and then choose Next: Permissions.

  4. In the Attach permissions policies section, choose Create Policy.

  5. On the Create Policy page, choose the JSON tab.

  6. In the editor that appears, replace the contents of the editor with the IAM policy that you want attach to the IAM role.

    You can grant read/write access or restrict users to their home directory.

    For an example of a read/write access policy, see Example read/write access policy. For an example of a scope-down policy, see Example scope-down policy.

  7. Choose Review policy and provide a name and description for your policy, and then choose Create policy.

Next, you create an IAM role and attach the new IAM policy to it.

To create an IAM role for AWS Transfer Family

  1. In the navigation pane, choose Roles, and then choose Create role.

    On the Create role page, make sure that AWS service is chosen.

  2. Choose Transfer Family from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer Family and AWS.

  3. In the Attach permissions policies section, locate and choose the policy that you just created, and choose Next: Tags.

  4. (Optional) Enter a key and value for a tag, and choose Next: Review.

  5. On the Review page, enter a name and description for your new role, and then choose Create role.

Next, you establish a trust relationship between AWS Transfer Family and AWS.

To establish a trust relationship

  1. In the IAM console, choose the role that you just created. (You need to click on the name of the role you created).

  2. On the Summary page, choose Trust relationships, and then choose Edit trust relationship.

  3. In the Edit Trust Relationship editor, make sure service is "transfer.amazonaws.com". The access policy is shown following.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  4. Choose Update Trust Policy to update the access policy.

You have now created an IAM role that allows AWS Transfer Family to call AWS services on your behalf. You attached to the role the IAM policy that you created to give access to your user. In the Getting started with AWS Transfer Family section, this role and policy are assigned to your user or users.

Optionally, you can create a scope-down policy that limits users' access to their home directories only, as described earlier in this topic. For more information on scope-down policies, see Example scope-down policy.

For more general information about IAM roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

To learn more about resource-based policies for Amazon S3 resources, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service Developer Guide.