Questions tagged with AWS Transfer for SFTP

Hi, I run EC2 in Ireland region with GoAnyhwere Application that receives SFTP traffic on 922 port. Normally, on prem, I receive constant 5-10Mbps inbound, but in AWS instance I receive 1mbs and constant drops to 0mbps. The instance is c5.xlarge. Is there anyone who faces similar anomaly ? The same anomaly happens when I transfer to the attached S3

Hi, I'm curently facing a problem trying to create a private SFTP Server (deployed in a VPC) using AWS Transfer Family. So here are the steps I followed: - I started an EC2 in one of three subnets associated with the SFTP server (created in another step) - Those subnets are private - I connected to the EC2 instance using session manager - I created an ssh key named sftp_key to connect to the SFTP server - I Created an IAM role for the transfer service: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "<AccountId>" }, "ArnLike": { "aws:SourceArn": "arn:aws:transfer:eu-west-1:<AccountId>:server/*" } } } ] } ``` - Attached an inline policy to this role: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<BucketName>" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<BucketName>/*" } ] } ``` - Created a Role for logging management. This role has the following inline policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateLogsForTransfer", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*" } ] } ``` - Created an SFTP Server using the CLI like this: ``` aws transfer create-server --identity-provider-type SERVICE_MANAGED --protocols SFTP --domain S3 --endpoint-type VPC --endpoint-details SubnetIds=$SUBNET_IDS,VpcId=$VPC_ID,SecurityGroupIds=$SG_ID --logging-role $LOGGINGROLEARN --security-policy-name $SECURITY_POLICY ``` SUBNET_IDS: list of 3 privates subnets ids VPC_ID: the concerned VPC ID SG_ID: ID of a security group. This group allows all access on port 22 (TCP) from the same subnets (SUBNET_IDS) LOGGINGROLEARN: Arn of the logging role SECURITY_POLICY=TransferSecurityPolicy-2020-06 - Created a user with the CLI: ``` aws transfer create-user --home-directory $DIRECTORY --policy file://sftp-scope-down-policy.json --role $ROLEARN --server-id $SERVERID --user-name $1 --ssh-public-key-body "$SSHKEYBODY" ``` DIRECTORY=/<BucketName>/<userName> ROLEARN: Role created before SSHKEYBODY: public key of the ssh key created on the EC2 sftp-scope-down-policy.json content: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "${transfer:UserName}/*", "${transfer:UserName}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] } ``` - A VPC endpoint exists for the three subnets for the following services: - com.amazonaws.eu-west-1.ec2 - com.amazonaws.eu-west-1.ssm - com.amazonaws.eu-west-1.ssmmessages ***So here is the problem:*** I tried to connect to the SFTP server from the EC2 launched in the first step using this command: ``` sftp -vvv -i sftp_key <userName>@<ServerPrivateIp> ``` the ssh logs shows that the connection suceeded but after that the connection closed directly. ``` debug1: Authentication succeeded (publickey). Authenticated to <ServerPrivateIp> ([<ServerPrivateIp>]:22). ``` No logs are created on CloudWatch Logs and I can see nothing special on CloudTrail logs. Can someone explain me what I missed ?

Hi all, I've setup an SFTP server with AWS Transfer Family with "sftp-server" S3 bucket as storage. I created "subfolder01", "subfolder02", "subfolder03", etc in the bucket. I defined an SFTP user and set "sftp-server" as his restricted home folder. And I want to give him read/write permissions to "subfolder01" and "subfolder02" only, while no access to all the other subfolders. But when the user connects, he sees an empty list of his home folder, and he can only access the two subfolders if he manually types the "subfolder01/" or "subfolder02/" path, in Filezilla. I would like him to see the list of all the subfolders when he connects, or better, to see only the two subfolders that he has access to. This is the policy assigned to the role of the user: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::sftp-server" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:PutObjectAcl", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::sftp-server/subfolder01/*", "arn:aws:s3:::sftp-server/subfolder02/*" ] } ] } and this is Trusted Entities of his role: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } Can you please help me?

AWS Transfer Family is pleased to announce the following enhancements to the managed workflows capability. 1. You can now configure your workflow steps to process either the originally uploaded file or the output file from the previous workflow step. You can also make multiple copies of a file and archive the original source file for records retention. 2. You can now utilize username as a variable in workflows copy steps, enabling you to dynamically route files to user-specific folders in Amazon S3. 3. You can now use AWS CloudFormation to configure and deploy managed workflows in a standardized and repeatable way across multiple regions and accounts. 4. Also, you now have access to AWS CloudWatch metrics such as total number of executions, successful executions and failed executions for your Workflows. To learn more, please visit our managed Workflows documentation [1] or the blog post [2] for additional details. [1] https://docs.aws.amazon.com/transfer/latest/userguide/transfer-workflows.html [2] https://aws.amazon.com/blogs/architecture/building-a-cloud-native-file-transfer-platform-using-aws-transfer-family-workflows/

AWS Transfer Family servers can now display customized messages, such as organizational policies or terms and conditions to your end users, helping you achieve your legal and compliance requirements. You can also present a customized Message of The Day (MOTD), such as a greeting message, to enhance user experience. To learn more about using login banners with AWS Transfer Family, please find details in our documentation - https://docs.aws.amazon.com/transfer/latest/userguide/create-server-sftp.html

The Endpoint is too long for the field that gets filled in for the SFTP software on customer end . Given AWS Endpoint is 59 characters long and the field only supports 55 characters. Do you know if there is a way for us to get a shorter one?

Suppose I want to make a safe, easy, and accessible way to transfer files into a VPC. Ideally a user just goes to a site in a browser and uploads the file, then can log into the VPC's network and download it. But there's a few gotchas: - All uploaded files must be scanned for viruses/malware (e.x. ClamAV Lambda checks the files). Infected files must be quarantined/inaccessible. - Users need to be able to authenticate with an Identity provider like Okta. - Users should only be able to see files that they have permissions to. I wanted to use AWS managed SFTP (such as https://github.com/awslabs/web-client-for-aws-transfer-family/tree/open-source), but I can't figure out how I would implement scanning into the pipeline. I could instead use S3 buckets directly with some application interface, but that would take a lot of heavy lifting on my end to build said application (unless there's already something for this). Any suggestions?

Hello All, I have deleted my sftp server in transfer family that contain all my users. Worst i don't have any inventory for the users. How do i recover.

I have an AWS Transfer requirement where I need to provide key based authentication as you get from the Service Managed identity provider, and AWS Directory Service authentication. Is this possible from a single server?

Starting today, AWS Transfer Family is available in the Asia Pacific (Osaka) Region. AWS Transfer Family provides fully managed file transfers for Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (EFS). With this launch, AWS Transfer Family is now available in 21 commercial AWS regions, AWS GovCloud (US) Regions, Amazon China (Beijing) Region, operated by Sinnet, and the Amazon China (Ningxia) Region, operated by NWCD. AWS Transfer Family supports file transfers over Secure File Transfer Protocol (SFTP), File Transfer Protocol (FTP) and FTP over SSL (FTPS), simplifying and accelerating migration of file transfer workflows to AWS. For more information, visit the AWS Transfer Family product page and see the AWS Region Table for complete regional availability information.

I have an SFTP server with a couple of users. Their roles allow for read, list, and write but not delete. Once I log into the server, is it possible to do chmod to change permissions of a specific directory? How does that work given the roles and permissions already set in a policy?

Hi, Is it possible to build logical directories iteratively as users navigate from parent directory to child directory? ``` Ex:/ ├── public │ └── research --> s3://public-research │ └── global └── subscribed ├── 2018 │ ├── equities --> s3://subscriptions/historical/2018/equities │ └── indices --> s3://subscriptions/historical/2018/indices └── 2019 ├── credit --> s3://subscriptions/historical/2019/credit └── equities --> s3://subscriptions/historical/2019/equities ``` Initially, logical structure and mapping will be created only for "public" & "subscribed" directories.If the user navigates into the subscribed folder then build a logical directory structure dynamically for "2018" & "2019" folders. I went through the below article and it creates the entire directory structure and mapping once during authentication. https://aws.amazon.com/blogs/storage/using-aws-sftp-logical-directories-to-build-a-simple-data-distribution-service/

I was asked to provide the IP address of my Transfer Family SFTP ( public endpoint ) so that on their side they can make an outbound rule in their firewall. I thought this IP address was dynamically assigned to the endpoint, since i see many mentions that for whitelisting its required a static IP (EIP). If its dynamic is it possible to determine a IP range (that was their suggestion), without having to use a static IP (EIP)? Thanks Edit: whatismyipaddress.com mentions that is likely a static IP

Hello, I am receiving an error when using Amazon Transfer for SFTP. I can list and delete objects but I cannot write new objects. I receive error "open for write: Access denied." I have the below permissions policy (I have edited the last line of the policy to remove sensitive information). { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::${transfer:HomeBucket}", "Condition": { "StringLike": { "s3:prefix": [ "${transfer:HomeFolder}/*", "${transfer:HomeFolder}" ] } } }, { "Sid": "", "Effect": "Allow", "Action": [ "s3:PutObjectACL", "s3:PutObject", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::${transfer:HomeDirectory}/*", "arn:aws:s3:::${transfer:HomeDirectory}*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111111:key/111111" } ] }