AWS Transfer Family

(1)

AWS Transfer Family

User Guide

(2)

AWS Transfer Family: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Transfer Family?

AWS Transfer Family is a secure transfer service that enables you to transfer ﬁles into and out of AWS storage services.

AWS Transfer Family supports transferring data from or to the following AWS storage services.

• Amazon Simple Storage Service (Amazon S3) storage. For information about Amazon S3, see Getting started with Amazon Simple Storage Service.

• Amazon Elastic File System (Amazon EFS) Network File System (NFS) ﬁle system. For information about Amazon EFS, see What Is Amazon Elastic File System?.

AWS Transfer Family supports transferring data over the following protocols:

• Secure Shell (SSH) File Transfer Protocol (SFTP)

• File Transfer Protocol Secure (FTPS)

• File Transfer Protocol (FTP)

Note

For FTP and FTPS data connections, the port range that Transfer Family uses to establish the data channel is 8192–8200.

File transfer protocols are used in data exchange workflows across different industries such as financial services, healthcare, advertising, and retail, among others. Transfer Family simplifies the migration of file transfer workflows to AWS.

Common use cases for Transfer Family with Amazon S3 are the following:

• Data lakes in AWS for uploads from third parties such as vendors and partners.

• Subscription-based data distribution with your customers.

• Internal transfers within your organization.

The following are some common use cases for Transfer Family with Amazon EFS:

• Data distribution

• Supply chain

• Content management

• Web serving applications

With Transfer Family, you get access to a file transfer protocol-enabled server in AWS without the need to run any server infrastructure. You can use this service to migrate your file transfer-based workflows to AWS while maintaining your end users' clients and configurations as is. You first associate your hostname with the server endpoint, then add your users and provision them with the right level of access. After you do this, your users' transfer requests are serviced directly out of your Transfer Family server endpoint.

Transfer Family provides the following beneﬁts:

• A fully managed service that scales in real time to meet your needs.

• You don't need to modify your applications or run any ﬁle transfer protocol infrastructure.

(9)

• With your data in durable Amazon S3 storage, you can use native AWS services for processing, analytics, reporting, auditing, and archival functions.

• With Amazon EFS as your data store, you get a fully managed elastic ﬁle system for use with AWS Cloud services and on-premises resources. Amazon EFS is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove ﬁles. This helps eliminate the need to provision and manage capacity to accommodate growth.

• A fully managed, serverless File Transfer Workﬂow service that makes it easy to set up, run, automate, and monitor processing of ﬁles uploaded using AWS Transfer Family.

• There are no upfront costs, and you pay only for the use of the service.

In the following sections, you can find a description of the different features of Transfer Family, a getting started tutorial, detailed instructions on how to set up the different protocol enabled servers, how to use different types of identity providers, and the service's API reference.

To get started with Transfer Family, see the following:

• How AWS Transfer Family works (p. 3)

• Setting up (p. 5)

• Tutorial: Getting started with AWS Transfer Family (p. 15)

(10)

How AWS Transfer Family works

AWS Transfer Family is a fully managed AWS service that you can use to transfer ﬁles into and out of Amazon Simple Storage Service (Amazon S3) storage or Amazon Elastic File System (Amazon EFS) ﬁle systems over the following protocols:

• Secure Shell (SSH) File Transfer Protocol (SFTP)

• File Transfer Protocol Secure (FTPS)

• File Transfer Protocol (FTP)

AWS Transfer Family supports up to 3 Availability Zones and is backed by an auto scaling, redundant ﬂeet for your connection and transfer requests. For an example on how to build for higher redundancy and minimize network latency by using Latency-based routing, see Minimize network latency with your AWS Transfer for SFTP servers.

Transfer Family Managed File Transfer Workflows (MFTW) is a fully managed, serverless File Transfer Workflow service that makes it easy to set up, run, automate, and monitor processing of files uploaded using AWS Transfer Family. Customers can use MFTW to automate various processing steps such as copying, tagging, scanning, filtering, compressing/decompressing, and encrypting/decrypting the data that is transferred using Transfer Family. This provides end to end visibility for tracking and auditability.

For more details, see AWS Transfer Family Managed workﬂows (p. 99).

You can get started with AWS Transfer Family by creating a ﬁle transfer protocol-enabled server and then assigning users to use the server. To service your AWS Transfer Family users' transfer requests, you create an AWS Identity and Access Management (IAM) role to access your Amazon S3 bucket or Amazon Elastic File System.

To use AWS Transfer Family, you take the following high-level steps:

1. Create an Amazon S3 bucket or Amazon EFS ﬁle system.

For information about using Amazon S3, see Create an Amazon S3 bucket (p. 5). For information about using Amazon Elastic File System, see Create an Amazon EFS ﬁle system (p. 6) .

2. Create an IAM role that contains two IAM policies:

• An IAM policy that includes the permissions to enable AWS Transfer Family to access your Amazon S3 bucket or Amazon EFS ﬁle system. This IAM policy determines what level of access you provide your AWS Transfer Family users.

• An IAM policy to establish a trust relationship with AWS Transfer Family.

For more information about creating IAM policies, see Managing access controls (p. 129).

3. (Optional) If you have your own registered domain, associate your registered domain with the server.

You can route ﬁle transfer protocol traﬃc to your server endpoint from a domain, such as example.com, or from a subdomain, such as ftps.accounting.example.com. For more information, see Working with custom hostnames (p. 49).

4. Create a Transfer Family server and specify the identity provider type used by the service to authenticate your users.

For more information about creating Transfer Family servers, see Creating a server (p. 19). For more information about identity provider types, see Working with custom identity providers (p. 72).

5. If you are working with a server with a service-managed identity provider, as opposed to a custom identity provider, add one or more users.

(11)

6. Open a ﬁle transfer protocol client and conﬁgure the connection to use the endpoint hostname for the server that you want to use. You can get this hostname from the AWS Transfer Family console.

AWS Transfer Family supports any standard ﬁle transfer protocol client. Some commonly used clients are the following:

• OpenSSH – A Macintosh and Linux command line utility.

• WinSCP – A Windows-only graphical client.

• Cyberduck – A Linux, Macintosh, and Microsoft Windows graphical client.

• FileZilla – A Linux, Macintosh, and Windows graphical client.

(12)

Regions, endpoints and quotas

Setting up

The following sections describe the prerequisites required to use the AWS Transfer Family service. At a minimum, you need to create an Amazon Simple Storage Service (Amazon S3) bucket and provide access to that bucket through an AWS Identity and Access Management (IAM) role. Your role also needs to establish a trust relationship. This trust relationship allows Transfer Family to assume the IAM role to access your bucket so that it can service your users' ﬁle transfer requests.

Topics

• Supported AWS Regions, endpoints and quotas (p. 5)

• Sign up for AWS (p. 5)

• Create an Amazon S3 bucket (p. 5)

• Create an Amazon EFS ﬁle system (p. 6)

• Create an IAM role and policy (p. 8)

Supported AWS Regions, endpoints and quotas

For information about supported AWS Regions, endpoints, and service quotas, see AWS Transfer Family endpoints and quotas in the Amazon Web Services General Reference.

Sign up for AWS

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including AWS Transfer Family. You are charged only for the services that you use.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To create an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code using the phone keypad.

For information about pricing and to use AWS Pricing Calculator to get an estimate of the cost to use Transfer Family, see AWS Transfer Family pricing.

For information about AWS Region availability, see the AWS Transfer Family endpoints and quotas in the AWS General Reference.

Create an Amazon S3 bucket

AWS Transfer Family accesses your Amazon S3 bucket to service your users' transfer requests, so you need to provide an Amazon S3 bucket as part of setting up your ﬁle transfer protocol-enabled server.

You can use an existing bucket, or you can create a new one.

(13)

Amazon S3 access points

NoteYou don't have to use a server and Amazon S3 bucket that are in the same AWS Region, but we recommend this as a best practice.

When you set up your users, you assign them each an IAM role. This role determines the level of access that they have to your Amazon S3 bucket.

For information on creating a new bucket, see How do I create an S3 bucket? in the Amazon Simple Storage Service User Guide.

Note

You can use Amazon S3 Object Lock to prevent objects from being overwritten for a fixed amount of time or indefinitely. This works the same way with Transfer Family as with other services. If an object exists and is protected, writing to that file or deleting it is not allowed.

For more details on Amazon S3 Object Lock, see Using Amazon S3 Object Lock in the Amazon Simple Storage Service User Guide.

Amazon S3 access points

AWS Transfer Family supports Amazon S3 Access Points, a feature of Amazon S3 that allows you to easily manage granular access to shared data sets. You can use S3 Access Point aliases anywhere you use an S3 bucket name. You can create hundreds of access points in Amazon S3 for users who have diﬀerent permissions to access shared data in an Amazon S3 bucket.

For example, you can use access points to allow three different teams to have access to the same shared dataset where one team can read data from S3, a second team can write data to S3, and the third team can read, write, and delete data from S3. To implement a granular access control as mentioned above, you can create an S3 access point that contains a policy that gives asymmetrical access to different teams. You can use S3 access points with your Transfer Family server to achieve a fine-grained access control, without creating a complex S3 bucket policy that spans hundreds of use cases. To learn more about how to use S3 access points with a Transfer Family server, refer to the Enhance data access control with AWS Transfer Family and Amazon S3 blog post.

Create an Amazon EFS ﬁle system

AWS Transfer Family accesses Amazon Elastic File System (Amazon EFS) to service your users' transfer requests. So you must provide an Amazon EFS file system as part of setting up your file transfer protocol-enabled server. You can use an existing file system, or you can create a new one.

The following sections in the Amazon Elastic File System User Guide provide more information.

• For information about creating a new Amazon EFS ﬁle system, see Getting started with Amazon Elastic File System in the Amazon Elastic File System User Guide.

• For prerquisites to use Amazon EFS with Transfer Family, see see Prerequisites for using AWS Transfer Family with Amazon Amazon EFS.

• To conﬁgure your Amazon EFS to work with AWS Transfer Family, see Conﬁguring your Amazon EFS to work with AWS Transfer Family.

• To set ﬁle and directory permissions, see Setting ﬁle and directory permissions for AWS Transfer Family users.

NoteWhen you use a Transfer Family server and an Amazon EFS ﬁle system, the server and the ﬁle system must be in the same AWS Region.

(14)

Amazon EFS ﬁle ownership

The server and the file system don't need to be in the same account. If the server and file system are not in the same account, the file system policy must give explicit permission to the user role. For information about using Amazon EFS, see Using AWS Transfer Family to access files in your Amazon EFS file system in the Amazon Elastic File System User Guide.

For information about how to set up multiple accounts, see Managing the AWS accounts in your organization in the AWS Organizations User Guide.

When you set up your users, you assign them each an IAM role. This role determines the level of access that they have to your Amazon EFS ﬁle system.

Amazon EFS ﬁle ownership

Amazon EFS uses the Portable Operating System Interface (POSIX) ﬁle permission model to represent ﬁle ownership.

In POSIX, users in the system are categorized into three distinct permission classes: When you allow a user to access files stored in an Amazon EFS file system using AWS Transfer Family, you must assign them a “POSIX profile.” This profile is used to determine their access to files and directories in the Amazon EFS file system.

• User (u): Owner of the ﬁle or directory. Usually, the creator of a ﬁle or directory is also the owner.

• Group (g): Set of users that need identical access to ﬁles and directories that they share.

• Others (o): All other users that have access to the system except for the owner and group members.

This permission class is also referred to as "Public."

In the POSIX permission model, every file system object (files, directories, symbolic links, named pipes, and sockets) is associated with the previously mentioned three sets of permissions. Amazon EFS objects have a Unix-style mode associated with them. This mode value defines the permissions for performing actions on that object.

Additionally, on Unix-style systems, users and groups are mapped to numeric identifiers, which Amazon EFS uses to represent file ownership. For Amazon EFS, objects are owned by a single owner and a single group. Amazon EFS uses the mapped numeric IDs to check permissions when a user attempts to access a file system object.

Set up Amazon EFS users for Transfer Family

Before you set your Amazon EFS users, you can do either of the following:

• You can create users and set up their home folders in Amazon EFS. See Conﬁgure Transfer Family users on Amazon EFS (p. 7) for details.

• If you are comfortable adding a root user, you can Create an Amazon EFS root user (p. 8).

Conﬁgure Transfer Family users on Amazon EFS

Transfer Family maps the users to the UID/GID and directories you specify. If the UID/GID/directories do not already exist in EFS, then you should create them before assigning them in Transfer to a user. The details for creating Amazon EFS users is described in Working with users, groups, and permissions at the Network File System (NFS) Level in the Amazon Elastic File System User Guide.

Steps to set up Amazon EFS users in Transfer Family

1. Map the EFS UID and GID for your user in Transfer Family using the PosixProfile ﬁelds.

(15)

Supported Amazon EFS commands

2. If you want the user to start in a speciﬁc folder upon login, you can specify the EFS directory under the HomeDirectory ﬁeld.

You can automate the process, by using a CloudWatch rule and Lambda function. For an example Lambda function that interacts with EFS, see Using Amazon EFS for AWS Lambda in your serverless applications.

Create an Amazon EFS root user

If your organization is comfortable for you to enable root user access via SFTP/FTPS for the

conﬁguration of your users, you can create a user who's UID and GID are 0 (root user), then use that root user to create folders and assign POSIX ID owners for rest of the users. The advantage of this option is that there is no need to mount the Amazon EFS ﬁle system.

Perform the steps described in Adding Amazon EFS service-managed users (p. 59), and for both the User ID and Group ID, enter 0 (zero).

Supported Amazon EFS commands

The following commands are supported for Amazon EFS for AWS Transfer Family

• cd

• ls/dir

• pwd

• put

• get

• rename

• chown: Only root (that is, users with uid=0) can change ownership and permissions of ﬁles and directories.

• chmod: Only root can change ownership and permissions of ﬁles and directories.

• chgrp: Supported either for root or for the ﬁle's owner who can only change a ﬁle's group to be one of their secondary groups.

• ln -s/symlink

• mkdir

• rm/delete

• rmdir

• chmtime

Create an IAM role and policy

When you create a user, you make a number of decisions about user access. These decisions include which Amazon S3 buckets or Amazon EFS file systems that the user can access, what portions of each Amazon S3 bucket and which files in the file system are accessible, and what permissions the user has (for example, PUT or GET).

To set access, you create an identity-based AWS Identity and Access Management (IAM) policy and role that provide that access information. As part of this process, you provide access for your user to the Amazon S3 bucket or Amazon EFS ﬁle system that is the target or source for ﬁle operations. To do this, take the following high-level steps, described in detail later:

(16)

Create an IAM role and policy

1. Create an IAM policy for AWS Transfer Family.

2. Create an IAM role and attach the new IAM policy. See the following example policies:

• Example read/write access policy (p. 10)

• Example session policy (p. 12)

For information about session policies, see Session policies in the IAM User Guide.

3. Establish a trust relationship between AWS Transfer Family and the IAM role.

The following procedures describe how to create an IAM policy and role.

To create an IAM policy for AWS Transfer Family

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. In the navigation pane, choose Policies, and then choose Create policy.

On the Create policy page, select Choose a service . 3. Choose Transfer from the list of services.

4. On the Create Policy page, choose the JSON tab.

5. In the editor that appears, replace the contents of the editor with the IAM policy that you want attach to the IAM role.

You can grant read/write access or restrict users to their home directory. For more information, see the following examples:

• Example read/write access policy (p. 10)

• Example session policy (p. 12)

6. Choose Review policy and provide a name and description for your policy, and then choose Create policy.

Next, you create an IAM role and attach the new IAM policy to it.

To create an IAM role for AWS Transfer Family

1. In the navigation pane, choose Roles, and then choose Create role.

On the Create role page, make sure that AWS service is chosen.

2. Choose Transfer from the service list, and then choose Next: Permissions. This establishes a trust relationship between AWS Transfer Family and AWS.

3. In the Attach permissions policies section, locate and choose the policy that you just created, and choose Next: Tags.

4. (Optional) Enter a key and value for a tag, and choose Next: Review.

5. On the Review page, enter a name and description for your new role, and then choose Create role.

Next, you establish a trust relationship between AWS Transfer Family and AWS.

To establish a trust relationship

1. In the IAM console, choose the role that you just created.

2. On the Summary page, choose Trust relationships, and then choose Edit trust relationship.

3. In the Edit Trust Relationship editor, make sure service is "transfer.amazonaws.com". The access policy is shown following.

(17)

Example read/write access policy

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Principal": {

"Service": "transfer.amazonaws.com"

},

"Action": "sts:AssumeRole"

} ]}

We recommend that you use the aws:SourceAccount and aws:SourceArn condition keys to protect yourself against the confused deputy problem. The source account is the owner of the server and the source ARN is the ARN of the server. For example:

"Condition": { "StringEquals": {

"aws:SourceAccount": "account_id"

},

"ArnLike": {

"aws:SourceArn": "arn:aws:transfer:region:account_id:server/*"

} }

You can also use the ArnEquals condition if you are looking to restrict to a particular server instead of any server in the user account. For example:

"Condition": { "ArnEquals": {

"aws:SourceArn": "arn:aws:transfer:region:account-id:server/server-id"

} }

For details on the confused deputy problem and more examples, see Cross-service confused deputy prevention (p. 159).

4. Choose Update Trust Policy to update the access policy.

You have now created an IAM role that allows AWS Transfer Family to call AWS services on your behalf.

You attached to the role the IAM policy that you created to give access to your user. In the Tutorial:

Getting started with AWS Transfer Family (p. 15) section, this role and policy are assigned to your user or users.

Optionally, you can create a session policy that limits users' access to their home directories only, as described earlier in this topic. For more information about session policies, see Example session policy (p. 12).

For more general information about IAM roles, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

To learn more about identity-based policies for Amazon S3 resources, see Identity and access management in Amazon S3 in the Amazon Simple Storage Service User Guide.

Example read/write access policy

Grant read/write access to Amazon S3 bucket

(18)

Example read/write access policy

The following example policy for AWS Transfer Family grants read/write access to objects in your Amazon S3 bucket.

NoteIn the following example, replace bucket_name with the name of your S3 bucket.

Also, note that the GetObjectACL and PutObjectACL statements are only required if you are doing Cross Account Access. That is, your Transfer Family server needs to access a bucket in a diﬀerent account.

{

"Version": "2012-10-17", "Statement": [

{

"Sid": "AllowListingOfUserFolder", "Action": [

"s3:ListBucket"

],

"Effect": "Allow", "Resource": [

"arn:aws:s3:::bucket_name"

] }, {

"Sid": "HomeDirObjectAccess", "Effect": "Allow",

"Action": [

"s3:PutObject", "s3:GetObject", "s3:DeleteObject",

"s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL"

],

"Resource": "arn:aws:s3:::bucket_name/*"

} ] }

Grant file system access to files in Amazon EFS file system

NoteIn addition to the policy, you must also make sure your POSIX ﬁle permissions are granting the appropriate access. For more information, see Working with users, groups, and permissions at the Network File System (NFS) Level in the Amazon Elastic File System User Guide.

The following example policy grants root file system access to files in your Amazon EFS file system.

NoteIn the following examples, replace region-id with your region, account-id with the account the ﬁle is in, and file-system-id with the ID of your Amazon Elastic File System (Amazon EFS).

{

"Sid": "RootFileSystemAccess", "Effect": "Allow",

"Action": [

(19)

Example session policy

"elasticfilesystem:ClientRootAccess", "elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"

],

"Resource": "arn:aws:elasticfilesystem:region-id:account-id:file-system/file- system-id"

} ] }

The following example policy grants user file system access to files in your Amazon EFS file system.

{

"Sid": "UserFileSystemAccess", "Effect": "Allow",

"Action": [

"elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"

],

"Resource": "arn:aws:elasticfilesystem:region-id:account-id:file-system/file- system-id"

} ] }

Example session policy

When an administrator creates a role, the role often includes broad permissions to cover multiple use cases or team members. If an administrator conﬁgures a console URL, they can reduce permissions for the resulting session by using a session policy. For example, if you create a role with read/write access (p. 10), you can set up a URL that limits users’ access to only their home directories.

Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or user. Session policies are useful for locking down users so that they have access only to portions of your bucket where object preﬁxes contain their username. The session policy's permissions are the intersection of the session policies and the resource-based policies plus the intersection of the session policies and identity-based policies.

(20)

For more details, see Session policies in the IAM User Guide.

In AWS Transfer Family, a session policy is supported only when you are transferring to or from Amazon S3.

NoteThe maximum length of a session policy is 2048 characters. For more details, see the Policy request parameter for the CreateUser action in the API reference.

The following example policy is a session policy that limits users' access to their home directories only.

NoteIf your Amazon S3 bucket is encrypted using AWS Key Management Service (AWS KMS), you must specify additional permissions in your policy. For details, see Data encryption (p. 138).

Additionally, you can see more information about session policies in the IAM User Guide.

{

"Sid": "AllowListingOfUserFolder", "Action": [

"s3:ListBucket"

],

"Effect": "Allow", "Resource": [

"arn:aws:s3:::${transfer:HomeBucket}"

],

"Condition": { "StringLike": {

(21)

"s3:prefix": [

"${transfer:HomeFolder}/*", "${transfer:HomeFolder}"

] } } }, {

"Sid": "HomeDirObjectAccess", "Effect": "Allow",

"Action": [

"s3:PutObject", "s3:GetObject", "s3:DeleteObject",

"s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL"

],

"Resource": "arn:aws:s3:::${transfer:HomeDirectory}*"

} ] }

NoteIn the policy above, it is assumed that users have their home directories set to include a trailing slash, to signify that it is a directory. If, on the other hand, you set a user's HomeDirectory without the trailing slash, then you should include it as part of your policy.

In the previous example policy, note the use of the transfer:HomeFolder, transfer:HomeBucket, and transfer:HomeDirectory policy parameters. These parameters are set for the HomeDirectory that is conﬁgured for the user, as described in HomeDirectory and Implementing your API Gateway method (p. 80). These parameters have the following deﬁnitions:

• The transfer:HomeBucket parameter is replaced with the ﬁrst component of HomeDirectory.

• The transfer:HomeFolder parameter is replaced with the remaining portions of the HomeDirectory parameter.

• The transfer:HomeDirectory parameter has the leading forward slash (/) removed so that it can be used as part of an S3 Amazon Resource Name (ARN) in a Resource statement.

NoteIf you are using Logical directories—that is, the user's homeDirectoryType is LOGICAL—these policy parameters (HomeBucket, HomeDirectory, and HomeFolder) are not supported.

For example, assume that the HomeDirectory parameter that is conﬁgured for the Transfer Family user is /home/bob/amazon/stuff/.

• transfer:HomeBucket is set to /home.

• transfer:HomeFolder is set to /bob/amazon/stuff/.

• transfer:HomeDirectory becomes home/bob/amazon/stuff/.

The ﬁrst "Sid" allows the user to list all directories starting from /home/bob/amazon/stuff/.

The second "Sid" limits the user'put and get access to that same path, /home/bob/amazon/stuff/.

(22)

Prerequisites

Tutorial: Getting started with AWS Transfer Family

Use this tutorial to get started with AWS Transfer Family (Transfer Family). You'll learn how to create an SFTP-enabled server with publicly accessible endpoint using Amazon S3 storage, add a user with service- managed authentication, and transfer a ﬁle with Cyberduck.

Contents

• Prerequisites (p. 15)

• Step 1: Sign in to the AWS Transfer Family console (p. 15)

• Step 2: Create an SFTP-enabled server (p. 15)

• Step 3: Add a service managed user (p. 16)

• Step 4: Transfer a ﬁle using a client (p. 17)

Prerequisites

Before you begin, be sure to complete the requirements in Setting up (p. 5). As part of this setup, you create an Amazon Simple Storage Service (Amazon S3) bucket and an AWS Identity and Access Management (IAM) user role.

NoteThe role you create needs permissions deﬁned in AmazonS3FullAccess, AWSTransferConsoleFullAccess, and IAMFullAccess policies.

• AmazonS3FullAccess grants permissions to setup and use an Amazon S3 bucket.

• AWSTransferConsoleFullAccess grants permissions for your SFTP user to create Transfer Family resources.

• IAMFullAccess grants permissions to create the roles and policies you need.

Step 1: Sign in to the AWS Transfer Family console

To sign in to Transfer Family

1. Sign in to the AWS Management Console and open the AWS Transfer Family console at https://

console.aws.amazon.com/transfer/.

2. For Account ID or alias, enter your account ID or alias.

3. For IAM user name, enter the name of the user role that you created for Transfer Family.

4. For Password, enter your AWS account password.

5. Choose Sign in.

Step 2: Create an SFTP-enabled server

Secure Shell (SSH) File Transfer Protocol (SFTP) is a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH. It is

(23)

Add a service managed user

widely used to exchange data, including sensitive information between business partners in a variety of industries such as ﬁnancial services, healthcare, retail, and advertising.

To create an SFTP-enabled server

1. Select Servers from the Navigation pane then choose Create server.

2. In Choose protocols, select SFTP, and then choose Next.

3. In Choose an identity provider, choose Service managed to store user identities and keys in Transfer Family, and then choose Next.

4. In Choose an endpoint, do the following:

a. For Endpoint type, choose the Publicly accessible endpoint type.

b. For Custom hostname, choose None.

c. Choose Next.

5. In Choose a domain, choose Amazon S3.

6. In Conﬁgure additional details, do the following:

a. For CloudWatch logging, choose Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

b. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server. The default security policy is TransferSecurityPolicy-2020-06.

c. Choose Next.

7. In Review and create, choose Create server. You are taken to the Servers page.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform ﬁle operations, but you'll need to create a user ﬁrst.

Step 3: Add a service managed user

To add a user to the SFTP-enabled server

1. On the Servers page, select the check box of the server that you want to add a user to.

2. Choose Add user.

3. In the User conﬁguration section, for Username, enter the user name. This user name must be a minimum of 3 and a maximum of 100 characters. You can use the following characters in the user name: a–z, A-Z, 0–9, underscore '_', hyphen '-', period '.', and at sign "@". The user name can't start with a hyphen, period, or at sign.

4. For Access, choose the IAM role that you previously created that provides access to your Amazon S3 bucket.

You created this IAM role using the procedure in Create an IAM role and policy (p. 8). That IAM role includes an IAM policy that provides access to your Amazon S3 bucket. It also includes a trust relationship with the AWS Transfer Family service, deﬁned in another IAM policy.

NoteThe IAM role for the service managed user must contain the permissions to access the desired bucket. Permissions to access the desired bucket are covered within S3FullAccess which grants administrator level permissions to S3 resources.

5. For Policy, choose None.

(24)

Transfer a ﬁle using a client

6. For Home directory, choose the Amazon S3 bucket to store the data to transfer using AWS Transfer Family. Enter the path to the home directory where your user lands when they log in using their client.

If you leave this parameter blank, the root directory of your Amazon S3 bucket is used. In this case, make sure that your IAM role provides access to this root directory.

NoteWe recommend that you choose a directory path that contains the user name of the user, which enables you to eﬀectively use a session policy. The session policy limits user access in the Amazon S3 bucket to that user's home directory.

7. For Restricted, select the check box so that your users can't access anything outside of that folder and can't see the Amazon S3 bucket or folder name.

NoteWhen assigning the user a home directory and restricting the user to that home directory, this should be suﬃcient enough to lock down the user's access to the designated folder. Use a session policy when you need to apply further controls.

8. For SSH public key, enter the public SSH key portion of the SSH key pair.

Your key is validated by the service before you can add your new user.

Important

The format of the SSH public key is ssh-rsa <string>. For instructions on how to generate an SSH key pair, see Generate SSH keys (p. 139).

9. (Optional) For Key and Value, enter one or more tags as key-value pairs, and choose Add tag.

10. Choose Add to add your new user to the server that you chose.

The new user appears in the Users section of the Server details page.

Step 4: Transfer a ﬁle using a client

You transfer ﬁles over the AWS Transfer Family service by specifying the transfer operation in a client.

AWS Transfer Family supports several clients. For details, see Transferring ﬁles using a client (p. 93) This section contains procedures for using Cyberduck and OpenSSH.

Topics

• Use Cyberduck (p. 17)

• Use OpenSSH (p. 18)

Use Cyberduck

To transfer ﬁles over AWS Transfer Family using Cyberduck 1. Open the Cyberduck client.

2. Choose Open Connection.

3. In the Open Connection dialog box, choose SFTP (SSH File Transfer Protocol).

4. For Server, enter your server endpoint. The server endpoint is located on the Server details page, see View server details (p. 119).

5. For Port number, enter 22 for SFTP.

6. For Username, enter the name for the user that you created in Managing users (p. 57).

7. For SSH Private Key, choose or enter the SSH private key.

(25)

Use OpenSSH

8. Choose Connect.

9. Perform your ﬁle transfer.

Depending on where your ﬁles are, do one of the following:

• In your local directory (the source), choose the ﬁles that you want to transfer, and drag and drop them into the Amazon S3 directory (the target).

• In the Amazon S3 directory (the source), choose the ﬁles that you want to transfer, and drag and drop them into your local directory (the target).

Use OpenSSH

Use the instructions that follow to transfer ﬁles from the command line using OpenSSH.

NoteThis client works only with an SFTP-enabled server.

To transfer ﬁles over AWS Transfer Family using the OpenSSH command line utility 1. On Linux or Macintosh, open a command terminal.

2. At the prompt, enter the following command: % sftp -i transfer-key sftp_user@service_endpoint

In the preceding command, sftp_user is the user name and transfer-key is the SSH private key.

Here, service_endpoint is the server's endpoint as shown in the AWS Transfer Family console for the selected server.

An sftp prompt should appear.

3. (Optional) To view the user's home directory, enter the following command at the sftp prompt:

sftp> pwd

4. On the next line, enter the following text: sftp> cd /mybucket/home/sftp_user In this getting-started exercise, this Amazon S3 bucket is the target of the ﬁle transfer.

5. On the next line, enter the following command: sftp> put filename.txt The put command transfers the ﬁle into the Amazon S3 bucket.

A message like the following appears, indicating that the ﬁle transfer is in progress, or complete.

Uploading filename.txt to /my-bucket/home/sftp_user/filename.txt some-file.txt 100% 127 0.1KB/s 00:00

(26)

Identity providers

Creating a server

Following, you can ﬁnd how to create a ﬁle transfer protocol enabled server using the AWS Transfer Family service. The following protocols are available:

• Secure Shell (SSH) File Transfer Protocol (SFTP) – ﬁle transfer over SSH

• File Transfer Protocol Secure (FTPS) – ﬁle transfer with TLS encryption

• File Transfer Protocol (FTP) – unencrypted ﬁle transfer

You can create a server with multiple protocols.

NoteIf you have multiple protocols enabled for the same server endpoint and want to provide access using the same user name over multiple protocols, you can do so as long as the credentials speciﬁc to the protocol have been set up in your identity provider. For FTP, we recommend maintaining separate credentials from SFTP and FTPS. This is because, unlike SFTP and FTPS, FTP transmits credentials in clear text. By isolating FTP credentials from SFTP or FTPS, if FTP credentials are shared or exposed, your workloads using SFTP or FTPS remain secure.

When you create a server, you choose a speciﬁc AWS Region to perform the ﬁle operation requests of users who are assigned to that server. Along with assigning the server one or more protocols, you also assign one of the following identity provider types:

• Service managed using SSH keys. For details, see Working with service-managed users (p. 57).

• AWS Managed Microsoft AD. This method allows you integrate your Microsoft Active Directory groups to provide access to your Transfer Family servers. For details, see Using the AWS Directory Service identity provider (p. 63).

• A custom method. The custom identity provider method uses AWS Lambda or Amazon API Gateway and enables you to integrate your directory service to authenticate and authorize your users. The service automatically assigns an identiﬁer that uniquely identiﬁes your server. For details, see Working with custom identity providers (p. 72).

You also assign the server an endpoint type (publicly accessible or VPC hosted) and a hostname using the default server endpoint, or a custom hostname using the Amazon Route 53 service or by using a Domain Name System (DNS) service of your choice. A server hostname must be unique in the AWS Region where it's created.

Additionally, you can assign an Amazon CloudWatch logging role to push events to your CloudWatch Logs, choose a security policy that contains the cryptographic algorithms enabled for use by your server, and add metadata to the server in the form of tags that are key-value pairs.

Important

You incur costs for instantiated servers and for data transfer. For information about pricing and to use AWS Pricing Calculator to get an estimate of the cost to use Transfer Family, see AWS Transfer Family pricing.

Identity provider options

AWS Transfer Family provides several methods for authenticating and managing users. The following table compares the available identity providers you can use with Transfer Family.

(27)

Create an SFTP-enabled server

Action AWS Transfer

Family service managed

AWS Directory Service for Microsoft Active Directory

Amazon API

Gateway Lambda

Logical home

directory Yes Yes Yes Yes

IAM and POSIX Yes Yes Yes Yes

Ad hoc access

structure Yes No Yes Yes

Password

authentication No Yes Yes Yes

Key-based

authentication Yes No Yes Yes

AWS Web Application Firewall

No No Yes No

Notes:

• IAM is used to control access for Amazon S3 backing storage, and POSIX is used for Amazon EFS.

• Ad hoc refers to the ability to send the user proﬁle at run time. For example, you can land users in their home directories by passing the username as a variable.

• For details on AWS WAF, see Add a web application ﬁrewall (p. 158).

In the following procedures, you can create an SFTP-enabled server, FTPS-enabled server, or FTP- enabled server.

Next step

• Create an SFTP-enabled server (p. 20)

• Create an FTPS-enabled server (p. 26)

• Create an FTP-enabled server (p. 32)

Create an SFTP-enabled server

Secure Shell (SSH) File Transfer Protocol (SFTP) is a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH. It is widely used to exchange data, including sensitive information between business partners in a variety of industries such as ﬁnancial services, healthcare, retail, and advertising.

NoteSFTP servers for Transfer Family operate over port 22.

To create an SFTP-enabled server

1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/ and select Servers from the navigation pane, then choose Create server.

2. In Choose protocols, select SFTP, and then choose Next.

(28)

3. In Choose an identity provider, choose the identity provider that you want to use to manage user access. You have the following options:

• Service managed: you store user identities and keys in AWS Transfer Family.

• AWS Directory Service for Microsoft Active Directory: you provide an AWS Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users. To learn more about working with AWS Managed Microsoft AD identity providers, see Using the AWS Directory Service identity provider (p. 63).

NoteCross-Account and Shared directories are not supported for AWS Managed Microsoft AD.

(29)

• Custom: choose either of the following options:

• AWS Lambda to integrate your identity provider: use your existing identity providers, backed by a Lambda function. You provide the name of the Lambda function. For more details, see Using AWS Lambda to integrate your identity provider (p. 73)

• Amazon API Gateway method backed by a Lambda function: create an API Gateway for use as an identity provider. You provide an Amazon API Gateway URL and an invocation role. For more details, see Using Amazon API Gateway to integrate your identity provider (p. 77).

4. Choose Next.

a. For Endpoint type, choose the Publicly accessible endpoint type. For a VPC hosted endpoint, see Create a server in a virtual private cloud (p. 38).

b. (Optional) For Custom hostname, choose None.

You get a server hostname provided by AWS Transfer Family. The server hostname takes the form serverId.server.transfer.regionId.amazonaws.com.

(30)

For a custom hostname, you specify a custom alias for your server endpoint. To learn more about working with custom hostnames, see Working with custom hostnames (p. 49).

c. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure that the endpoint complies with Federal Information Processing Standards (FIPS).

NoteFIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see AWS Transfer Family endpoints and quotas in the AWS General Reference. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2 .

d. Choose Next.

6. On the Choose domain page, choose the AWS storage service that you want to use to store and access your data over the selected protocol:

• Choose Amazon S3 to store and access your ﬁles as objects over the selected protocol.

• Choose Amazon EFS to store and access your ﬁles in your Amazon EFS ﬁle system over the selected protocol.

Choose Next.

a. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

• Create a new role to allow Transfer Family to create the IAM role automatically, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

• Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to transfer.amazonaws.com.

For more information about CloudWatch logging, see Log activity with CloudWatch (p. 133).

(31)

Note

• You can't view end-user activity in CloudWatch if you don't specify a logging role.

• If you don't want to set up a CloudWatch logging role, choose Choose an existing role, but don't select a logging role.

b. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

NoteBy default:

• If FIPS Enabled endpoint is not selected, the TransferSecurityPolicy-2020-06 security policy is attached to your server.

• If FIPS Enabled endpoint is selected, the TransferSecurityPolicy- FIPS-2020-06 security policy is attached to your server.

For more information about security policies, see Working with security policies (p. 52).

c. (Optional) For Server Host Key, enter an RSA private key that will be used to identify your server when clients connect to it over SFTP.

NoteThis section is only for migrating users from an existing SFTP-enabled server.

(32)

d. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

e. Choose Next.

f. (Optional) For Managed workflows, select a workflow ID and a corresponding role that Transfer Family should assume when executing the workflow. To learn more about processing your files using managed workflows, see AWS Transfer Family Managed workflows (p. 99).

g. (Optional) You can conﬁgure AWS Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. For Display banner, in the Pre-authentication display banner text box, enter the text message that you want to display to your users before they authenticate.

(33)

Create an FTPS-enabled server

8. In Review and create, review your choices.

• If you want to edit any of them, choose Edit next to the step.

NoteYou will need to review each step after the step you chose to edit.

• If you have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform ﬁle operations for your users.

Create an FTPS-enabled server

File Transfer Protocol over SSL (FTPS) is an extension to FTP. It uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols to encrypt traﬃc. FTPS allows encryption of both the control and data channel connections either concurrently or independently.

To create an FTPS-enabled server

2. In Choose protocols, select FTPS.

For Server certificate, choose a certificate stored in AWS Certificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS and then choose Next.

To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Requesting a Private Certificate in the AWS Certificate Manager User Guide.

Certiﬁcates with the following cryptographic algorithms and key sizes are supported:

• 2048-bit RSA (RSA_2048)

• 4096-bit RSA (RSA_4096)

(34)

• Elliptic Prime Curve 256 bit (EC_prime256v1)

• Elliptic Prime Curve 384 bit (EC_secp384r1)

• Elliptic Prime Curve 521 bit (EC_secp521r1)

NoteThe certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

(35)

NoteFTPS servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192-8200 (Data Channel).

a. For Endpoint type, choose the VPC hosted endpoint type to host your server's endpoint. For information about setting up your VPC hosted endpoint, see Create a server in a virtual private cloud (p. 38).

(36)

NotePublicly accessible endpoints are not supported.

b. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure that the endpoint complies with Federal Information Processing Standards (FIPS).

NoteFIPS-enabled endpoints are only available in North American AWS Regions. For available Regions, see AWS Transfer Family endpoints and quotas in the AWS General Reference. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2 .

c. Choose Next.

5. On the Choose domain page, choose the AWS storage service that you want to use to store and access your data over the selected protocol:

• Choose Amazon S3 to store and access your ﬁles as objects over the selected protocol.

• Choose Amazon EFS to store and access your ﬁles in your Amazon EFS ﬁle system over the selected protocol.

Choose Next.

a. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

(37)

• Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

• Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to transfer.amazonaws.com.

For more information about CloudWatch logging, see Log activity with CloudWatch (p. 133).

Note

• You can't view end-user activity in CloudWatch if you don't specify a logging role.

• If you don't want to set up a CloudWatch logging role, choose Choose an existing role, but don't select a logging role.

b. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

NoteBy default:

• If FIPS Enabled endpoint is not selected, the TransferSecurityPolicy-2020-06 security policy is attached to your server.

• If FIPS Enabled endpoint is selected, the TransferSecurityPolicy- FIPS-2020-06 security policy is attached to your server.

For more information about security policies, see Working with security policies (p. 52).

c. (Optional) For Server Host Key, keep it blank.

NoteThis section is only for migrating users from an existing SFTP-enabled server.

(38)

d. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

e. Choose Next.

f. (Optional) For Managed workflows, select a workflow ID and a corresponding role that Transfer Family should assume when executing the workflow. To learn more about processing your files using managed workflows, see AWS Transfer Family Managed workflows (p. 99).

g. (Optional) You can conﬁgure AWS Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. You can also display customized Message of The Day (MOTD) to users who have successfully authenticated.

For Display banner, in the Pre-authentication display banner text box, enter the text message that you want to display to your users before they authenticate, and in the Post-authentication display banner text box, enter the text that you want to display to your users after they successfully authenticate.

(39)

Create an FTP-enabled server

7. In Review and create, review your choices.

• If you want to edit any of them, choose Edit next to the step.

Note

You will need to review each step after the step you chose to edit.

• If you have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform ﬁle operations for your users.

Next steps – For the next step, continue on to Working with custom identity providers (p. 72) to set up users.

Create an FTP-enabled server

File Transfer Protocol (FTP) is a network protocol used for the transfer of data. FTP uses a separate channel for control and data transfers. The control channel is open until terminated or inactivity timeout.

The data channel is active for the duration of the transfer. FTP uses clear text and does not support encryption of traﬃc.

To create an FTP-enabled server

2. In Choose protocols, select FTP, and then choose Next.

(40)

(41)

NoteFTP servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192-8200 (Data Channel).

a. For Endpoint type, choose VPC hosted to host your server's endpoint. For information about setting up your VPC hosted endpoint, see Create a server in a virtual private cloud (p. 38).

NotePublicly accessible endpoints are not supported.

b. For FIPS Enabled, keep the FIPS Enabled endpoint check box cleared.

NoteA FIPS-enabled endpoint is not supported.

c. Choose Next.

AWS Transfer Family

AWS Transfer Family

User Guide

AWS Transfer Family: User Guide

Table of Contents

What is AWS Transfer Family?

How AWS Transfer Family works

Setting up

Supported AWS Regions, endpoints and quotas

Sign up for AWS

Create an Amazon S3 bucket

Amazon S3 access points

Create an Amazon EFS ﬁle system

Amazon EFS ﬁle ownership

Set up Amazon EFS users for Transfer Family

Conﬁgure Transfer Family users on Amazon EFS

Create an Amazon EFS root user

Supported Amazon EFS commands

Create an IAM role and policy

Example read/write access policy

Example session policy

Tutorial: Getting started with AWS Transfer Family

Prerequisites

Step 1: Sign in to the AWS Transfer Family console

Step 2: Create an SFTP-enabled server

Step 3: Add a service managed user

Step 4: Transfer a ﬁle using a client

Use Cyberduck

Use OpenSSH

Creating a server

Identity provider options

Create an SFTP-enabled server

Create an FTPS-enabled server

Create an FTP-enabled server