使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS Transfer Family - Private SFTP server connection closed

0

Hi,

I'm curently facing a problem trying to create a private SFTP Server (deployed in a VPC) using AWS Transfer Family. So here are the steps I followed:

  • I started an EC2 in one of three subnets associated with the SFTP server (created in another step)
  • Those subnets are private
  • I connected to the EC2 instance using session manager
  • I created an ssh key named sftp_key to connect to the SFTP server
  • I Created an IAM role for the transfer service:
{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<AccountId>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:eu-west-1:<AccountId>:server/*"
        }
      }
      }
    ]
}
  • Attached an inline policy to this role:
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AllowListingOfUserFolder",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::<BucketName>"
          ]
      },
      {
          "Sid": "HomeDirObjectAccess",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObjectVersion",
              "s3:DeleteObject",
              "s3:GetObjectVersion"
          ],
          "Resource": "arn:aws:s3:::<BucketName>/*"
      }
  ]
}
  • Created a Role for logging management. This role has the following inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "CreateLogsForTransfer",
          "Effect": "Allow",
          "Action": [
              "logs:CreateLogStream",
              "logs:DescribeLogStreams",
              "logs:CreateLogGroup",
              "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
      }
  ]
}
  • Created an SFTP Server using the CLI like this:
aws transfer create-server --identity-provider-type SERVICE_MANAGED --protocols SFTP --domain S3 --endpoint-type VPC --endpoint-details SubnetIds=$SUBNET_IDS,VpcId=$VPC_ID,SecurityGroupIds=$SG_ID --logging-role $LOGGINGROLEARN --security-policy-name $SECURITY_POLICY

SUBNET_IDS: list of 3 privates subnets ids

VPC_ID: the concerned VPC ID

SG_ID: ID of a security group. This group allows all access on port 22 (TCP) from the same subnets (SUBNET_IDS)

LOGGINGROLEARN: Arn of the logging role

SECURITY_POLICY=TransferSecurityPolicy-2020-06

  • Created a user with the CLI:
aws transfer create-user --home-directory $DIRECTORY --policy file://sftp-scope-down-policy.json --role $ROLEARN --server-id $SERVERID --user-name $1 --ssh-public-key-body "$SSHKEYBODY"

DIRECTORY=/<BucketName>/<userName>

ROLEARN: Role created before

SSHKEYBODY: public key of the ssh key created on the EC2

sftp-scope-down-policy.json content:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "AllowListingOfUserFolder",
          "Action": [
              "s3:ListBucket"
          ],
          "Effect": "Allow",
          "Resource": [
              "arn:aws:s3:::${transfer:HomeBucket}"
          ],
          "Condition": {
              "StringLike": {
                  "s3:prefix": [
                      "${transfer:UserName}/*",
                      "${transfer:UserName}"
                  ]
              }
          }
      },
      {
          "Sid": "HomeDirObjectAccess",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:DeleteObject",
              "s3:DeleteObjectVersion",
              "s3:GetObjectVersion"
          ],
          "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"
      }
  ]
}
  • A VPC endpoint exists for the three subnets for the following services:
    • com.amazonaws.eu-west-1.ec2
    • com.amazonaws.eu-west-1.ssm
    • com.amazonaws.eu-west-1.ssmmessages

So here is the problem:

I tried to connect to the SFTP server from the EC2 launched in the first step using this command:

sftp -vvv -i sftp_key <userName>@<ServerPrivateIp>

the ssh logs shows that the connection suceeded but after that the connection closed directly.

debug1: Authentication succeeded (publickey).
Authenticated to <ServerPrivateIp> ([<ServerPrivateIp>]:22).

No logs are created on CloudWatch Logs and I can see nothing special on CloudTrail logs.

Can someone explain me what I missed ?

主題
遷移與現代化
標籤
AWS Transfer for SFTPAWS Transfer Family
語言
English
wmegel
已提問 2 年前檢視次數 1432 次
1 個回答
0

Hello wmegel@,

Thank you for sharing all the details. Since you observed Authentication Succeeded, it implies that connection to the server was established and there shouldn't be any issues in terms of intermediate network. Concerning the error, I suspect it has something to do with the Trust relationship of the associated IAM Roles. Could you make changes as follows and test the behavior -

For the Logging Role -

{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<account-id>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:server/*"
        }
      }
      }
    ]
}

For the User Role -

{
  "Version": "2012-10-17",
  "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
            "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
            "aws:SourceAccount": "<account-id>"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:transfer:<region>:<account-id>:user/<server-id>/*"
        }
      }
      }
    ]
}

Rest of the setup that you specified seems accurate to me. Could you make the above changes and test again to confirm if you can access S3 as desired?

In regards to your question on logging, CloudTrail shows Management level API calls such as CreateServer, CreateUser. For data level calls to your server, CloudWatch log group for your server should show details. Probably, the logs didn't populate due to issues in Trust relationship for the logging role. Once you make the above changes, you should see logs being populated in CloudWatch log group for your server.

I look forward to your update.

Reference: https://docs.aws.amazon.com/transfer/latest/userguide/confused-deputy.html

Thanks, Sagar

AWS
專家
sagarb-aws
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容