Questions tagged with AWS Transfer Family

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Cannot login to a newly created SFTP server and cannot see server logs

I have created a SFTP server, gave it a logging role and created a user. As a result can neither log into the server with my private key neither see any log messages. Following are the exact steps: 1. Created the **xxxxxxxxxx-dev-import** S3 bucket and created a **test-user** folder in it. 2. Created a **DevImportSFTPReadWriteAccess** RW access policy to access the target bucket. 3. Created a **DevImportSFTPRole** role and attached the aforementioned **ImportSFTPReadWriteAccess** policy to it. 4. Created a role called **AWSTransferLoggingRole** and attached the AWS-managed **AWSTransferLoggingAccess** policy to it. Checked the trust relationship - transfer.amazonaws.com is trusted. 5. Created a public SFTP server with service managed identity provider and assigned the aforementioned **AWSTransferLoggingRole** as the logging role. Waited until the server started. **NOTE** After server was started the logs were not visible in CloudWatch. 6. After the server was started created a **test-user** user with the public key, assigned the **xxxxxxxxxx-dev-import** as the bucket and **test-user** as home folder. Following is the result I'm ending up with: ``` mymacbook:.ssh UXXXXXX$ telnet s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com 22 Trying XXX.XXX.XXX.XXX... Connected to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com. Escape character is '^]'. SSH-2.0-AWS_SFTP_1.0 ^C Connection closed by foreign host. mymacbook:.ssh UXXXXXX$ ssh -i ~/.ssh/id_rsa_test_user test-user@s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com The authenticity of host 's-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com (XXX.XXX.XXX.XXX)' can't be established. RSA key fingerprint is SHA256:u0HCsILNN4vTm367Wgyeh2ToHLbuZayQzbzt9GbF+v8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 's-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com,XXX.XXX.XXX.XXX' (RSA) to the list of known hosts. Enter passphrase for key '/Users/UXXXXXX/.ssh/id_rsa_test_user': Connection to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com closed by remote host. Connection to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com closed. mymacbook:.ssh UXXXXXX$ ``` And again - no logs in CloudWatch.
1
answers
0
votes
277
views
asked 3 years ago

Custom Identity Provider - SSH Key and/or Password Auth

Hello, I'm interested in using AWS Transfer for SFTP to replace a number of aging SFTP servers that have hundreds of users and rely on local linux account authentication and chrooting for security. I have spent a lot of time looking over this forum and the AWS documentation for the SFTP offering. I have a number of concerns I'm hoping can be addressed by the community: 1. Is there a custom identity provider I can plugin to today that allows a mixture of password authentication, SSH key authentication **and** allows end-users to perform self-service password resets? We have hundreds of users (password auth) as well as service/automated accounts (SSH key auth). Secrets Manager will allow both auth methods, but there doesn't seem to be a way for end users to have direct control over their passwords or perform self-service resets. Additionally, administrators with access to Secrets Manager would have access to the plaintext version of passwords, which is not a security best practice. https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/ Identity is one of the most important pieces of the solution and it happens to be more complex with AWS SFTP than any other solution on the market today when you factor in real-world use cases of mixed authentication, security requirements, and being forced to use API Gateway, Lambda functions, etc. 2. Is there any solution that will allow for whitelisting IP access to the server which doesn't add significantly to the complexity/cost of the solution? If not, then how are we supposed to address risks of having an internet-accessible server (bruteforce attempts)? Based on the documentation, to enable whitelisting, I would need: -a VPC -an NLB with an elastic IP -a firewall in front of all that There is no formal documentation on how to setup all the pieces above and have it work successfully, and I'm not sure anyone has done it yet who can demonstrate it will actually work. It would be great to have these addressed with a solution today, or see if AWS is working on functionality.
1
answers
0
votes
36
views
PedroM
asked 3 years ago

Custom Identity Provider - works until Policy is defined?

Hi, I've got a server setup with a custom identity provider running a lambda function. With only a Role defined in the response, my user can log in (but of course has more access than is desired). When I add the Policy inline to the lambda response, the login fails. Testing with test-identity-provider yields 200 success when no Policy is defined. However, when a Policy is defined (it seems any policy, with or without variables) testing with test-identity-provider I get the following: "Message": "Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_OBJECT). Response Code: 200, Response Text: OK", "StatusCode": 500, The policy I'm using is not special, just an example found online: ``` const policy = { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "in/${transfer:UserName}/*", "in/${transfer:UserName}" ] } } }, { "Sid": "AWSTransferRequirements", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*" } ] }; ``` and later: ``` response = { Role: 'my_role_arn', Policy: policy, HomeDirectory: '/my-bucket/in/myuser', }; ``` Anybody got any hints about what I'm doing wrong? Thanks. Edited by: TTF2019 on Apr 13, 2019 5:10 AM
4
answers
0
votes
65
views
TTF2019
asked 4 years ago