Skip to main content

AWS Family Transfer - SFTP Server with S3 Storage

325 words·
AWS AWS Family Transfer SFTP S3 WinSCP
Table of Contents

Prerequisites
#

S3 Bucket
#

Create a S3 Bucket with standard settings, “Block all public access” should be enabled by default. In my case the S3 Buclet os named “jklug.work-sftp”.


IAM Permission
#

Create an IAM Policy and add the following JSON permission:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::jklug.work-sftp"
            ],
            "Effect": "Allow",
            "Sid": "ReadWriteS3"
        },
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersion",
                "s3:GetObjectACL",
                "s3:PutObjectACL"
            ],
            "Resource": [
                "arn:aws:s3:::jklug.work-sftp/*"
            ],
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}

Replace “jklug.work-sftp” with the actual name of your S3 Bucket. The Policy will grant the SFTP user read and write permissions.


IAM Role
#

Create a new IAM Role and selct “Transfer” in the usecase drop-down menu:

And add the IAM Policy to the Role:


AWS Family Transfer
#

SFTP Server
#

Open the AWS Web Console:
https://eu-central-1.console.aws.amazon.com/transfer/

Click “Create server” and select “SFTP” as protocol:

Select “Service managed” as identity provider type:

Select “Amazon Route53 DNS alias” in case you are already using AWS Route 53, otherwise selct “None”:

Select “Amazon S3” as storage service:

Create a new role for the CloudWatch logs and leave the rest of the settings by default / create the SFTP server:

Wait till the state of the SFTP server moves to “Online”:


SFTP User
#

Create a new SFTP user and select the earlier created IAM Role and the S3 Bucket:

Add an OpenSSH RSA public SSH key and add the new user:


Connect to SFTP Server
#

WinSCP Settings
#

Open WinSCP, add the SFTP server and user name and open the “Advanced” session settings:

Add your private SSH key:

Connect to the SFTP server. Note when you upload a file you probably get the following error message. This is because the S3 API does not allow to set a timestamp value to an uploaded file.

Open the WinSCP settings / Transfer and edit the default preset:

Disable the “Preserve timestamp” setting: