What I Learned at Work this Week: AWS Transfer Family

SFTP

AWS Transfer Family

Transfer Family Setup

  1. Create an Amazon S3 bucket or Amazon EFS file system. EFS stands for Elastic File System. When we saw it in an earlier paragraph, it was describing dynamic storage size. Whether we go with that option or simply create a bucket, we can initialize and manage our storage through the AWS UI. No PR needed.
  2. Create an IAM role that contains two IAM policies…Here’s another acronym I’ve finally looked up: IAM stands for Identity and Access Management and according to yet another doc, an IAM policy is a statement, typically in JSON format, that allows a certain level of access to a resource. In other words, this is how we’re going to grant clients access to the files we’re generating for them. We want them to be able to log into the SFTP and perform certain actions, but we don’t want to give everyone a full range of permissions. This is definitely something I want to ask my teammates about because it seems to me that each client that access files in Transfer Family would need their own unique IAM permissions which allow them to read and write to their bucket and their bucket only. I did find a Terraform PR that contained some variables in its configs, but I still think there’s something that I’m missing. In any case, we certainly have to create some IAM roles to make this work.
  3. (Optional) If you have your own registered domain, associate your registered domain with the server. SFTP servers must have a domain that’s used for logging in (username@sftp.domain.com). If we want to implement our own registered domain, we can use a Domain Name System (DNS) of our choosing. When setting up URL redirects for clients in the past, I’ve used Terraform to generate namespace (NS) values that they can plug into their DNS (client’s DNS because client owns the website). Since this is our SFTP, I don’t think we had to do that. As usual, Amazon makes it easy to change a domain without writing a PR. I would guess that my teammates used Route 53 since I didn’t see a Terraform file for a custom domain.
  4. Create a Transfer Family server and specify the identity provider type used by the service to authenticate your users. Yet again, this can be fully managed through the AWS console. We want to create an SFTP server, so we’d follow this set of instructions. An identity provider is some service that manages credentials/authentication. Our options include the standard AWS provider, AWS Directory Service for Microsoft Active Directory, and a third option for all other providers. We could use the custom setup and write a Lambda to integrate with Okta, for instance, but in our case I believe we stuck with the AWS provider.
  5. If you are working with a server with a service-managed identity provider, as opposed to a custom identity provider, add one or more users. We just have to add a user so that we can try signing in and check permissions/access. If we’re using a custom identity provider, we’ll have already tested as part of the setup.
  6. Open a file transfer protocol client and configure the connection to use the endpoint hostname for the server that you want to use. You can get this hostname from the AWS Transfer Family console. The last step is…try it out! Some common file transfer protocol clients are Cyberduck or FileZilla. On a Mac, you can even use OpenSSH to log in through your terminal!

More questions than answers

Sources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store