AWS Transfer Family - Private SFTP server connection closed
Hi,
I'm curently facing a problem trying to create a private SFTP Server (deployed in a VPC) using AWS Transfer Family.
So here are the steps I followed:
- I started an EC2 in one of three subnets associated with the SFTP server (created in another step)
- Those subnets are private
- I connected to the EC2 instance using session manager
- I created an ssh key named sftp_key to connect to the SFTP server
- I Created an IAM role for the transfer service:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<AccountId>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:transfer:eu-west-1:<AccountId>:server/*"
}
}
}
]
}
```
- Attached an inline policy to this role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::<BucketName>"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::<BucketName>/*"
}
]
}
```
- Created a Role for logging management. This role has the following inline policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateLogsForTransfer",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
}
]
}
```
- Created an SFTP Server using the CLI like this:
```
aws transfer create-server --identity-provider-type SERVICE_MANAGED --protocols SFTP --domain S3 --endpoint-type VPC --endpoint-details SubnetIds=$SUBNET_IDS,VpcId=$VPC_ID,SecurityGroupIds=$SG_ID --logging-role $LOGGINGROLEARN --security-policy-name $SECURITY_POLICY
```
SUBNET_IDS: list of 3 privates subnets ids
VPC_ID: the concerned VPC ID
SG_ID: ID of a security group. This group allows all access on port 22 (TCP) from the same subnets (SUBNET_IDS)
LOGGINGROLEARN: Arn of the logging role
SECURITY_POLICY=TransferSecurityPolicy-2020-06
- Created a user with the CLI:
```
aws transfer create-user --home-directory $DIRECTORY --policy file://sftp-scope-down-policy.json --role $ROLEARN --server-id $SERVERID --user-name $1 --ssh-public-key-body "$SSHKEYBODY"
```
DIRECTORY=/<BucketName>/<userName>
ROLEARN: Role created before
SSHKEYBODY: public key of the ssh key created on the EC2
sftp-scope-down-policy.json content:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${transfer:HomeBucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"${transfer:UserName}/*",
"${transfer:UserName}"
]
}
}
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
}
]
}
```
- A VPC endpoint exists for the three subnets for the following services:
- com.amazonaws.eu-west-1.ec2
- com.amazonaws.eu-west-1.ssm
- com.amazonaws.eu-west-1.ssmmessages
***So here is the problem:***
I tried to connect to the SFTP server from the EC2 launched in the first step using this command:
```
sftp -vvv -i sftp_key <userName>@<ServerPrivateIp>
```
the ssh logs shows that the connection suceeded but after that the connection closed directly.
```
debug1: Authentication succeeded (publickey).
Authenticated to <ServerPrivateIp> ([<ServerPrivateIp>]:22).
```
No logs are created on CloudWatch Logs and I can see nothing special on CloudTrail logs.
Can someone explain me what I missed ?