Questions tagged with AWS Transfer for SFTP

Hi, Am using the below template for creating new was transfer family with vpc end point. But we could not reach VPC end point with other networks. Because it seems to route issue. Can any one please suggest me to fix. **Error Screen shot**  **Successful screen shot - Currently in production**  ``` Description: This template create aws transfer family with add user and deploys a VPC and security group, with a pair of public and private subnets spread across Single Availability Zones. It deploys an internet gateway, with a default route on the public subnets. It deploys a pair of NAT gateways (one AZ), and default routes for them in the private subnets, AWSTemplateFormatVersion: '2010-09-09' Parameters: EnvironmentName: Description: An environment name that is prefixed to resource names Type: String VpcCIDR: Description: Please enter the IP range (CIDR notation) for this VPC Type: String Default: 10.192.0.0/16 PublicSubnetCIDR: Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone Type: String Default: 10.192.10.0/24 PrivateSubnetCIDR: Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone Type: String Default: 10.192.20.0/24 CreateServer: AllowedValues: - 'true' - 'false' Type: String Description: >- Whether this stack creates a server internally or not. If a server is created internally, the customer identity provider is automatically associated with it. Default: 'true' Endpointtype: AllowedValues: - 'Internal' - 'Internet facing' Type: String Default: 'Internet facing' Conditions: CreateServer: 'Fn::Equals': - Ref: CreateServer - 'true' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCIDR EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Resources CloudWatchLoggingRole: Description: IAM role used by Transfer to log API requests to CloudWatch Type: 'AWS::IAM::Role' Condition: CreateServer Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - transfer.amazonaws.com Action: - 'sts:AssumeRole' GoldcoastTvodUser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/goldcoast-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::goldcoast-tvod", "arn:aws:s3:::goldcoast-tvod/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: GoldcoastTvodUser etcsvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/etc-svod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: etc-svod-user etctvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/tvn-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: etc-tvod-user lhtcsvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/lhtc-svod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: lhtc-svod-user lhtctvoduser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/tvn-tvod" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: lhtc-tvod-user mastercopyfoleuser: Type: 'AWS::Transfer::User' Properties: HomeDirectory: "/mastercopyfiles" HomeDirectoryType: "PATH" Policy: 'Fn::Sub': | { "Version": "2012-10-17", "Statement": { "Sid": "AllowFullAccessToBucket", "Action": "s3:*", "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } } Role: 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole' ServerId: 'Fn::GetAtt': TransferServer.ServerId SshPublicKeys: - >- ssh-rsa AAAAB3 UserName: mastercopyfole-user InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref EnvironmentName InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC PublicSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PublicSubnetCIDR MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Subnet PrivateSubnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [ 0, !GetAZs '' ] CidrBlock: !Ref PrivateSubnetCIDR MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Subnet NatGatewayEIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub ${EnvironmentName} Elsatic Ip PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Public Routes PublicSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${EnvironmentName} Private Routes PrivateSubnetRouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable SubnetId: !Ref PrivateSubnet SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: "Production Security Group" GroupDescription: "Security Group with inbound and outbound rule" VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 69 ToPort: 69 CidrIp: 96.47.148.171/32 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 3.16.146.0/29 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub ${EnvironmentName} TfVPCInterfaceEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: Interface ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' VpcId: !Ref VPC SubnetIds: - !Ref PublicSubnet SecurityGroupIds: - !Ref SecurityGroup TransferServer: Type: 'AWS::Transfer::Server' Condition: CreateServer Properties: EndpointType: 'VPC' SecurityPolicyName: TransferSecurityPolicy-FIPS-2020-06 LoggingRole: 'Fn::GetAtt': CloudWatchLoggingRole.Arn Tags: - Key: Name Value: !Sub ${EnvironmentName} Transferserver EndpointDetails: VpcId: !Ref VPC SubnetIds: - !Ref PublicSubnet AddressAllocationIds: - !GetAtt NatGatewayEIP.AllocationId Tags: - Key: Name Value: !Sub ${EnvironmentName} Transferserver ```lg...

when I try to log in to FileZilla by using credentials that I created in FTP in an EC2/Lightsail (Ubuntu) instance, it was not connected. otherwise, I use a keypair, it will work. Please give a reason and give a proper procedure for creating FTP Server by using an EC2/Lightsail. Thank You in Advancelg...

How to connect to AWS Transfer SFTP endpoint from an EC2 instance? Currently from EC2, the connection is interrupted with Connection reset by peer message: sftp -i <privatekey> -v user@<endpoint>.server.transfer.ap-southeast-2.amazonaws.com OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to <endpoint>.server.transfer.ap-southeast-2.amazonaws.com [ServerPrivateIp] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file sftp_id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file sftp_id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version AWS_SFTP_1.1 debug1: no match: AWS_SFTP_1.1 debug1: Authenticating to <endpoint>.server.transfer.ap-southeast-2.amazonaws.com:22 as 'user' debug1: SSH2_MSG_KEXINIT sent Connection closed by ServerPrivateIp port 22 Couldn't read packet: Connection reset by peerlg...

I change the permission with SSH (very simple just "chown -R ec2-user:apache /var/www/html/xxxxx/xxxx/xxx"), the SSH reject my connection and ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused... After that I check and reboot the EC2 but not effective... What can I do...lg...

Hey all! I setup an SFTP and generated and used PuTTY Key Generator for the SSH Public key. As per guidance on the AWS site for transferring a file, I downloaded Cyberduck and followed the instructions. I pasted the endpoint into the 'Server' field. used 22 for 'Port number', entered my username, and pasted my SSH private key. However it also asks for a password. The only password i recall setting up was the one for the public key, however when i enter this and select 'Connect' in Cyberduck, i receive the message "Listing Directory Failed. Failed to create user (Unsupported or invalid SSH public key format)". Can anyone advise what i'm doing wrong please? Thank you!lg...

Hi all! I've managed to set up an S3 bucket and an SFTP Server. Upon adding users to the server, I am prompted to enter an SSH public key. I have used PuTTY Key Generator on my laptop to generate the keys (both private and public). However, when i try to paste the SSH public key, I receive the message 'Failed to create user (Unsupported or invalid SSH public key format)'. Can anyone please advise what I could be doing wrong? TIAlg...

I'm attempting to set up permissions for a user account on AWS Transfer Service with SFTP protocol. I have a use case where a user should be able to add a file to a directory but not list the files in it. When I tweak the IAM role to deny 's3:ListBucket' for a specific subdirectory the put operation fails as well. Theoretically s3 does allow to Put object without having the ability to list the prefixes. AWS transfer service however seems to be implicitly using the list bucket operation before put. Has anyone managed to deny listing ability while still being able to upload. IAM policy : ``` { "Version": "2012-10-17", "Statement": [ { "Action": "s3:ListBucket", "Effect": "Allow", "Resource": [ "arn:aws:s3:::<my-bucket>" ], "Sid": "AllowListDirectories", "Condition": { "StringLike": { "s3:prefix": [ "data/partner_2/*" ] } } }, { "Sid": "DenyMkdir", "Action": [ "s3:PutObject" ], "Effect": "Deny", "Resource": "arn:aws:s3:::<my-bucket>/*/" }, { "Sid": "DenyListFilesInSubDirectory", "Action": [ "s3:ListBucket" ], "Effect": "Deny", "Resource": "arn:aws:s3:::<my-bucket>", "Condition": { "StringLike": { "s3:prefix": [ "data/partner_2/data/incoming/*" ] } } }, { "Effect": "AllowReadWirteInSubDirectory", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:PutObjectVersionAcl", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::<my-bucket>/data/partner_2/data/incoming/*" }, { "Effect": "AllowOnlyReadInADifferentDirectory", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<my-bucket>/data/partner_2/data/outgoing/*" } ] } ``` The output from SFTP client: ``` sftp> cd data/incoming sftp> ls Couldn't read directory: Permission denied sftp> put /Users/foo/Downloads/test.log Uploading /Users/foo/Downloads/test.log to /data/incoming/test.log remote open("/data/incoming/test.log"): Permission denied sftp> get test-one.txt Fetching /data/incoming/test-one.txt to test-one.txt sftp> exit ```lg...

Hi! Can anyone help direct me to someone i could speak to about setting up an SFTP. I think this is what i need, but i'm not 100% sure and would appreciate some technical advice. In short, my team (part of Amazon) want to regularly share data with a third party to be ingested into a dashboard. The third party suggest we use an SFTP. Thanks in advance! Lyndseylg...

hello all may i ask you all, i found a problem like in the picture.  **In order to perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to continue. If you don't remember your credentials, we recommend contacting your web host.** can you please help me to fix this all Thank youlg...

I need to delete a few files on the server, only way I know to get to them is via ftp. when I try to delete those files I get permission denied message. I am logged in with bitnami username. Is it possible to fix ?lg...

I have an SFTP server. I can login and see directories, and partner A can as well , but partner B can not. . Im using the same same roles and policies. but partner A get access denied after connecting.lg...

Hi, I am trying to setup AWS File transfer SFTP server. Here is my requirement: 1. User must be authenticated via third part identity provider which in Azure Authentication in our case. 2. Once user logged in they should two folder in their homedirectory i.e. {transfer:user}/folder1 and {transfer:user}/folder2 3. User should be restricted to put files in either folder1 or folder2, not in their home directory. 4. User should be able download the files only if specific tag is set on object/files in S3 So far, I am able to achieve Step 1 and Step 2 -- Step 1 -- custom authentication using lambda. Step 2 -- Once user authenticated successfully, Lambda will create folder1 and folder2 in their homedirectory. But when user logged into their home-directory they are not able to see folder1 and folder2 in their homedirectory but I can see folders were created successfully in S3 bucket. Here is IAM role attached to Transfer server and not able to figure out what's wrong with it. Any help would be appreciate. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadWriteS3", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::s3-bucket" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::s3-bucket/*" ] }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/allowdownload": "yes" } }, "Resource": [ "arn:aws:s3:::s3-bucket/*" ], "Effect": "Allow", "Sid": "DownloadAllowed" }, { "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Condition": { "StringEquals": { "s3:ExistingObjectTag/allowdownload": "no" } }, "Resource": [ "arn:aws:s3:::s3-bucket/*" ], "Effect": "Deny", "Sid": "DownloadNotAllowed" }, { "Sid": "DenyMkdir", "Effect": "Deny", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::s3-bucket/*/*/" } ] } ``` Within lambda where user authentication happens, I am returning user's homedirectory ``` HomeDirectoryDetails = [{"Entry":"/","Target":"/s3-bucket/${transfer:UserName}"}] ``` also tried below but no luck ``` HomeDirectoryDetails = = [{"Entry":"/folder1","Target":"/s3-bucket/${transfer:UserName}/folder1"},{"Entry":"/folder2","Target":"/s3-bucket/${transfer:UserName}/folder2"}] ``` User gets permission denied error when try to do "ls" in their home directory ``` sftp> ls Couldn't read directory: Permission denied ```lg...