AWS Transfer for SFTP
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Editing User Configuration

You can edit a user's properties in the AWS SFTP Management Console. On the console's Server Configuration page, you can edit the user's role, policy, and home directory. You can also add and delete Secure Shell (SSH) public keys and tags.

To edit a user's properties, see the following procedure. To learn about creating IAM policies for AWS SFTP, see Using an IAM Policy to Control Access to AWS SFTP.

Note

You can't edit a user name after you add the user. To change a user's user name, add a new user with the new user name and delete the user that you no longer need. Once a user is deleted, no one can log in using that user's credentials, but any active sessions will remain open until they are disconnected.

To edit a user's properties

  1. Sign in to the AWS Management Console and open the AWS SFTP console at https://console.aws.amazon.com/transfer/.

  2. On the navigation pane, choose Servers.

  3. On the Server Configuration page, choose the user name in the Users section to view the User Configuration page, shown following.

  4. Choose Add SSH public key to add a new SSH public key to a user. Alternatively, choose an SSH public key that is already assigned in the list, and choose Delete to remove that key from the user's definition.

    SSH keys are used only on an SFTP server that uses the Amazon API Gateway authentication method, also known as the custom authentication method. For information on how to generate an SSH key pair, see Generating SSH Keys.

  5. Choose Manage tags to add, remove, or modify an existing tag that is associated with this user.

  6. Choose Edit to view the Edit Configuration page, shown following.

  7. (Optional) Modify the currently assigned AWS Identity and Access Management (IAM) role for the user by choosing an IAM role for Access Info.

    For information on how to create the required IAM role for AWS SFTP, see Create IAM Policies and Roles for SFTP. The IAM role for AWS SFTP includes an IAM policy that provides access to your Amazon S3 bucket. It also includes another IAM policy that creates a trust relationship (defined in a permission policy) with AWS SFTP.

  8. (Optional) Modify Policy Info by choosing a new policy option.

  9. (Optional) Modify Home Directory by choosing the new Amazon S3 bucket that you want to use to store data transferred by AWS SFTP. Enter the path to the directory where your user should be placed when they log in using their SFTP client.

    Note

    We recommend that you choose a directory path that contains the user name of the user.

    If you keep this parameter empty, then the root directory of your Amazon S3 bucket is used. Make sure that your role provides access to the root of the bucket.

  10. Choose Save to save your changes.

Using an IAM Policy to Control Access to AWS SFTP

You can control a user's access to AWS SFTP resources by using an AWS Identity and Access Management (IAM) policy. An IAM policy is a statement, typically in JSON format, that allows a certain level of access to a resource. You use an IAM policy to define what file operations that you want to allow your SFTP users to perform and not perform. You can also use an IAM policy to define what Amazon S3 bucket or buckets that you want to give your users access to. To specify these policies for users, you create an IAM role for AWS SFTP that has the IAM policy and trust relationship associated with it.

Each SFTP user is assigned an IAM role. When a user logs in to your SFTP server, AWS SFTP assumes the IAM role mapped to the user. To learn about creating an IAM role that provides a user access to an Amazon S3 bucket, see following. For information about how to create a role and delegate permissions, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

The type of IAM role that AWS SFTP uses is called a service role.

Allowing Read and Write Access to an Amazon S3 Bucket

Following, you can see how to create an IAM policy that allows read and write access to a specific Amazon S3 bucket. Assigning an IAM role that has this IAM policy to your SFTP user gives that user read/write access to the specified S3 bucket.

The following policy provides programmatic read and write access to an Amazon S3 bucket.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": ["arn:aws:s3:::bucketname"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": ["arn:aws:s3:::bucketname/*"] } ] }

The ListBucket action requires permission to the bucket itself. The PUT, GET, and DELETE actions require object permissions. Because these are different entities, they are specified using different Amazon Resource Names (ARNs).

If your bucket is enabled for AWS Key Management Service (AWS KMS) encryption, you need to enable additional actions in the policy. For more information about AWS KMS, see What is AWS Key Management Service?

To further scope down your users' access to only the home directory of the specified S3 bucket, see Creating a Scope-Down Policy.

Creating a Scope-Down Policy

A scope-down policy is an AWS Identity and Access Management (IAM) policy that restricts AWS SFTP users to certain portions of an S3 bucket. It does so by evaluating access in real time.

You can use a scope-down policy when you need to give the same access to a group of users to a particular portion of your S3 bucket. For example, a group of users might need access to only the home directory. That group of users share the same IAM role.

To create a scope-down policy, use the following policy variables in your IAM policy:

  • ${transfer:HomeBucket}

  • ${transfer:HomeDirectory}

  • ${transfer:HomeFolder}

  • ${transfer:UserName}

Note

You can't use the variables listed preceding as policy variables in an IAM role definition. You create these variables in an IAM policy and supply them directly when setting up your user. Also, you can't use the ${aws:Username}variable in this scope-down policy. This variable refers to an IAM user name and not the user name required by AWS SFTP.

An example of a scope-down policy is shown in the code example following.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "${transfer:HomeFolder}/*", "${transfer:HomeFolder}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] }

With the preceding policy in place, when a user logs in they can access only objects in their home directory. At connection time, AWS SFTP replaces these variables with the appropriate values for the user. Doing this makes it easier to apply the same policy documents to multiple users. This approach reduces the overhead of IAM role and policy management for managing your users' access to your Amazon S3 bucket.

You can also use a scope-down policy to customize access for each of your users based on your business requirements. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.

Note

AWS SFTP stores the policy JSON, instead of the ARN (Amazon Resource Name) of the policy. So when you make changes to the policy in the IAM console, you need to return to AWS SFTP console and update your users with the latest policy contents. You can update the user under Policy Info tab in the User configuration section. For more information, see Editing User Configuration.

If you are using the CLI, you can use the following command to update the policy.

aws transfer update-user --server-id server --user-name user --policy \ "$(aws iam get-policy-version --policy-arn policy --version-id version --output json)"

Preventing Users from Creating a Directory in an S3 Bucket

You can prevent users from creating a directory in an Amazon S3 bucket. To do so, you create an IAM policy that allows the s3:PutObject action but also denies it when the key ends with a "/" (forward slash).

The following example policy allows users to upload files to an S3 bucket but doesn’t allow them to create a directory in the bucket. That is, it denies the mkdir command in the S3 bucket.

{ "Sid":"DenyMkdir", "Action":[ "s3:PutObject" ], "Effect":"Deny", "Resource":"arn:aws:s3:::my-sftp-bucket/*/" }

On this page: