

AWS Transfer for SFTP
source link: https://zoph.me/posts/2019-06-10-aws-transfer-for-sftp/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

AWS Transfer for SFTP
Info: This is our first post of a serie of coauthoring articles with @kharec
Serverless SFTP with AWS Transfer for SFTP
Sometimes in web world, we need to quickly deploy a space to share datas with programs or with other humans.
One of the numerous solutions is an SFTP space out there. But you know: create the server, configure the service, partition the users, the permissions, the folders, etc… It’s getting heavy faster than a speeding bullet!
So at Amazon Web Services, they implemented a service to create SFTP server/account, quickly and easily, backed onto an S3 bucket. And the beauty of it : no servers to manage at all !
Today, we present you AWS Transfer for SFTP !
Why using SFTP on AWS
For enterprise ETL systems, batch processing, legacy use cases. Main advantages of this managed service solution are: built-in auto-scaling capabilities, native high availability without managing a single server, patching, OS maintenance, networking, and security.
Automated Deployment
Using AWS CloudFormation
Deploying your server:
AWSTemplateFormatVersion: 2010-09-09
Description: SFTP CloudyMinds
Resources:
SFTP:
Type: AWS::Transfer::Server
Properties:
EndpointType: PUBLIC
Tags:
- Key: Name
Value: CloudyMinds-SFTP
Using Terraform
resource "aws_iam_role" "foo" {
name = "tf-test-transfer-server-iam-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transfer.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy" "foo" {
name = "tf-test-transfer-server-iam-policy-%s"
role = "${aws_iam_role.foo.id}"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFullAccesstoCloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "*"
}
]
}
POLICY
}
resource "aws_transfer_server" "foo" {
identity_provider_type = "SERVICE_MANAGED"
logging_role = "${aws_iam_role.foo.arn}"
tags = {
NAME = "tf-acc-test-transfer-server"
ENV = "test"
}
}
Manual deployment (Using Console)
-
Connect to AWS Console
-
Go to AWS Transfer for SFTP Service
-
Create Server
-
Basic configuration:
- Public or Private
- Customize your endpoint DNS name
- Identity Provider: Internal or using API Gateway (custom) Using Internal, the user base will be managed by the service (!= IAM users)
Using awscli
You can go from nothing to a fully functional SFTP server, users included, with the formidable awscli. In this article, we suppose that you already installed it. So, first things first, let’s create the server.
$ aws transfer create-server
{
"ServerId": "s-2232098796514635a"
}
Once it’s created and online, we can get all its information via the following command :
$ aws transfer describe-server --server-id s-2232098796514635a
{
"Server": {
"Arn": "arn:aws:transfer:eu-west-1:829937339934:server/s-2232098796514635a",
"IdentityProviderType": "SERVICE_MANAGED",
"ServerId": "s-2232098796514635a",
"State": "ONLINE",
"Tags": [],
"UserCount": 0
}
}
We get an endpoint as well and we can see it in the console :
Let’s try our endpoint :
telnet s-2232098796514635a.server.transfer.eu-west-1.amazonaws.com 22
Trying 18.200.52.219...
Connected to s-2232098796514635a.server.transfer.eu-west-1.amazonaws.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.7
OK, it’s up.
Now let’s create the user to connect and exploit our SFTP server. Note that we have created an IAM Role that has been applied with the policy AmazonS3FullAccess for the process. To create the user, we provide the ARN of this role.
$ aws transfer create-user --server-id=s-2232098796514635a --user-name=kharec --role arn:aws:iam::829937339934:role/awstransfer
{
"ServerId": "s-2232098796514635a",
"UserName": "kharec"
}
Now, to access our SFTP, we have to authenticate with an ssh key, as AWS Transfer doesn’t support the password authentication. To do that, we need to import our public key to this server and for this user.
$ aws transfer import-ssh-public-key --server-id=s-2232098796514635a --user-name=kharec --ssh-public-key-body "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCRGvlEWZJJf05P+cdIZqJk0xSvdt5ABaoDDiKVrN4LzXCcI3ayzaLGZOmGozkiT+6CuW+h9RJblmVhl8S/s19Yrynx3YSV9bUBy6LTiinsTI11xQfMVyCOQcjvETpJVF0koy2YVgTtLPTdX1VWqyN2+Q/MtIx/0YXKHzmDRXw3rTSJQOLcgho48JY/Lm8YYpgMVOC7PUISPAmU1CqnG9yZLhFalPuymCnZTbVBhmevN4nHcV3AKOrKY6wq4s/AJyWgX9b2JEghwKpXMdALaPAuWA6B6/d2p2Yd7UMj1T1NLlHr9friLntMrk+kZs9K3i6JwRlGT1WIAEq2nRg79Ws1 kharec@matty"
{
"ServerId": "s-2232098796514635a",
"SshPublicKeyId": "key-71188869ef65466c8",
"UserName": "kharec"
}
Easy ! Finally, let’s try and connect:
$ sftp kharec@s-2232098796514635a.server.transfer.eu-west-1.amazonaws.com 22
Warning: Permanently added the RSA host key for IP address '108.129.43.116' to the list of known hosts.
Connected to kharec@s-2232098796514635a.server.transfer.eu-west-1.amazonaws.com.
sftp>
Pricing
You will be charged for two types of usage on Transfer for SFTP:
- Time your SFTP endpoint is provisioned: 0,30$ per hour
- Data Transfer (IN and OUT) $0.04 per gigabyte (GB) transferred
As you may already know, on AWS, the data transfer IN is usually free, this is not the case with this AWS Managed Service.
Example:
- full-time SFTP Endpoint: $216 monthly
- 10GB uploaded: $12 monthly
- Monthly total: $228
Source: AWS Transfer for SFTP - Pricing - Give a try on the pricing calculator embedded on this page.
Challengers
- Any type of instance in any cloud (GCP, Azure, Digital Ocean) with an SFTP server installed on it.
- AWS S3 bucket
- Azure Storage blobs
- Google Cloud Storage
Known limitations
No user quota
You have to know that you cannot apply quotas on an SFTP user. So he can upload as much as he wants. It can be a weakness in you bill.
No user chroot
If you have more than one user on your SFTP endpoint, you have to know that you cannot restrict your users into a directory as you can with OpenSSH.
No filetype filtering
In AWS Transfer, you cannot apply some policy to restrict the filetypes sent. It can be a security problem, your users can upload any type of files.
No IP restrictions
You cannot apply a security group or equivalent to restrict your SFTP endpoint by IP. Even if the authentication is key-based, it can be an issue.
Alternatives
In case SFTP is not a mandatory protocol for you, you can use cheaper options:
- AWS CLI (
aws s3 sync
,aws s3 cp
,aws s3 presign
) - S3 API backed Software (S3 Browser, Cloudberry, Cyberduck, Filezilla Pro, …)
- S3 Console with least privilege rights for your users
We hope you enjoyed this article. If you want to know more, feel free to discuss it with us on social networks or by email !
That’s all folks!
zoph.
Recommend
-
72
记一次sftp故障
-
49
FTP与SFTP两者有什么区别 在实际项目开发中最常使用的文件传输的方式有ftp和sftp两种,但是这两个传输方式各有什么特点呢?本文接下来将讨论SFTP、FTP的区别。 ...
-
25
-
9
How WePay mocks SFTP payment processor backends By Tao Long on Mar 16, 2016 In payments, as the volume of transactions increases, the number of ways things can g...
-
10
EFS 上可以掛 AWS Transfer Family 了先前 AWS Transfer Family 的後端只能是 Amazon S3,現在則是宣佈可以掛
-
10
-
6
How to use SCP and SFTP to securely transfer files By using SSH-based authentication, SFTP and SCP are handy commands for moving...
-
14
-
3
Migration and Transfer Services on AWS
-
10
Slashing Data Transfer Costs in AWS by 99%
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK