AWS Transfer Family - Private SFTP server connection closed

0

Hi,

I'm curently facing a problem trying to create a private SFTP Server (deployed in a VPC) using AWS Transfer Family. So here are the steps I followed:

  • I started an EC2 in one of three subnets associated with the SFTP server (created in another step)
  • Those subnets are private
  • I connected to the EC2 instance using session manager
  • I created an ssh key named sftp_key to connect to the SFTP server
  • I Created an IAM role for the transfer service:
{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<AccountId>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:eu-west-1:<AccountId>:server/*"
        }
      }
      }
    ]
}
  • Attached an inline policy to this role:
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AllowListingOfUserFolder",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::<BucketName>"
          ]
      },
      {
          "Sid": "HomeDirObjectAccess",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObjectVersion",
              "s3:DeleteObject",
              "s3:GetObjectVersion"
          ],
          "Resource": "arn:aws:s3:::<BucketName>/*"
      }
  ]
}
  • Created a Role for logging management. This role has the following inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "CreateLogsForTransfer",
          "Effect": "Allow",
          "Action": [
              "logs:CreateLogStream",
              "logs:DescribeLogStreams",
              "logs:CreateLogGroup",
              "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
      }
  ]
}
  • Created an SFTP Server using the CLI like this:
aws transfer create-server --identity-provider-type SERVICE_MANAGED --protocols SFTP --domain S3 --endpoint-type VPC --endpoint-details SubnetIds=$SUBNET_IDS,VpcId=$VPC_ID,SecurityGroupIds=$SG_ID --logging-role $LOGGINGROLEARN --security-policy-name $SECURITY_POLICY

SUBNET_IDS: list of 3 privates subnets ids

VPC_ID: the concerned VPC ID

SG_ID: ID of a security group. This group allows all access on port 22 (TCP) from the same subnets (SUBNET_IDS)

LOGGINGROLEARN: Arn of the logging role

SECURITY_POLICY=TransferSecurityPolicy-2020-06

  • Created a user with the CLI:
aws transfer create-user --home-directory $DIRECTORY --policy file://sftp-scope-down-policy.json --role $ROLEARN --server-id $SERVERID --user-name $1 --ssh-public-key-body "$SSHKEYBODY"

DIRECTORY=/<BucketName>/<userName>

ROLEARN: Role created before

SSHKEYBODY: public key of the ssh key created on the EC2

sftp-scope-down-policy.json content:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AllowListingOfUserFolder",
          "Action": [
              "s3:ListBucket"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::${transfer:HomeBucket}"
          ],
          "Condition": {
              "StringLike": {
                  "s3:prefix": [
                      "${transfer:UserName}/*",
                      "${transfer:UserName}"
                  ]
              }
          }
      },
      {
          "Sid": "HomeDirObjectAccess",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObject",
              "s3:DeleteObjectVersion",
              "s3:GetObjectVersion"
          ],
          "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
      }
  ]
}
  • A VPC endpoint exists for the three subnets for the following services:
    • com.amazonaws.eu-west-1.ec2
    • com.amazonaws.eu-west-1.ssm
    • com.amazonaws.eu-west-1.ssmmessages

So here is the problem:

I tried to connect to the SFTP server from the EC2 launched in the first step using this command:

sftp -vvv -i sftp_key <userName>@<ServerPrivateIp>

the ssh logs shows that the connection suceeded but after that the connection closed directly.

debug1: Authentication succeeded (publickey).
Authenticated to <ServerPrivateIp> ([<ServerPrivateIp>]:22).

No logs are created on CloudWatch Logs and I can see nothing special on CloudTrail logs.

Can someone explain me what I missed ?

wmegel
asked 3 years ago1738 views
1 Answer
0

Hello wmegel@,

Thank you for sharing all the details. Since you observed Authentication Succeeded, it implies that connection to the server was established and there shouldn't be any issues in terms of intermediate network. Concerning the error, I suspect it has something to do with the Trust relationship of the associated IAM Roles. Could you make changes as follows and test the behavior -

For the Logging Role -

{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<account-id>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:server/*"
        }
      }
      }
    ]
}

For the User Role -

{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<account-id>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:user/<server-id>/*"
        }
      }
      }
    ]
}

Rest of the setup that you specified seems accurate to me. Could you make the above changes and test again to confirm if you can access S3 as desired?

In regards to your question on logging, CloudTrail shows Management level API calls such as CreateServer, CreateUser. For data level calls to your server, CloudWatch log group for your server should show details. Probably, the logs didn't populate due to issues in Trust relationship for the logging role. Once you make the above changes, you should see logs being populated in CloudWatch log group for your server.

I look forward to your update.

Reference: https://docs.aws.amazon.com/transfer/latest/userguide/confused-deputy.html

Thanks, Sagar

AWS
EXPERT
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions