Announcing the open-source release of Web Client for AWS Transfer Family
AWS customers look for ways to simplify access to corporate SFTP environments by enabling end users with familiar and supported browser-based user interfaces. Traditional approaches when using commercial or open-source FTP software packages present various challenges. First, corporate IT resources have to install and maintain software packages across end-user devices and operating systems. Secondly, end users that are less technical find FTP clients unintuitive and often ask for support. This is frustrating for end users needing easy and quick access to their files, and can increase the strain on corporate support resources.
We are pleased to share the open-source availability of Web Client for AWS Transfer Family, an AWS Solution that allows you to provide a web-based interface to consumers of your existing Transfer Family SFTP endpoints. By deploying an intuitive and browser-based solution, customers reduce the effort of managing commercial or open-source software clients and troubleshooting different end-user devices and operating systems. Instead, corporate IT teams can depend on their pre-approved software – a browser. Also, end users no longer must understand the nuances of FTP software clients. Instead, they can use an intuitive and familiar browser-based interface, and get the same experience as they would with a desktop-based FTP client. In this blog post, we explain the technical implementation of Web Client for AWS Transfer Family, cover the solution architecture, and outline the end user request flow.
Web Client for AWS Transfer Family enables you to use a standard browser to securely access your company provided website used to access your corporate files. The following screenshot shows a portal example:
With Web Client, your users see the files and folders that they have access to without having to install and learn how to use third-party clients. After authentication, each user can upload and download required files as well as create folder hierarchies to organize content as shown in the following screenshot:
The full list of operations supported by this release is as follows:
- List – both file and folder.
- Upload – file only. Only single file at a time can be uploaded. Drag and drop of file supported as well.
- Download – file only. Only single file at a time can be downloaded.
- Rename – file only.
- Delete – file and folder. While deleting a folder, it should be empty.
- Create – folder only.
Web Client for AWS Transfer Family architecture on AWS
To provide the functionality described in the preceding section, the Web Client for AWS Transfer Family solution deploys multiple AWS resources. The following architecture shows the services used to deploy a working solution.
To provide foundational security and availability, the solution is deployed to a dedicated Amazon Virtual Private Cloud (Amazon VPC) with three private and three public subnets spread across three Availability Zones. In addition, the solution deploys a web application into an Amazon S3 bucket configured for static website hosting. Amazon CloudFront is used to restrict access to the website bucket contents. The solution also deploys Elastic Container Service (Amazon ECS) containers that run on AWS Fargate in the private subnets. These containers host a python-based application that exposes an API to front-end requests. VPC Endpoints are created for secure access to various services from Amazon ECS containers with AWS Fargate.
The solution deploys AWS Transfer Family’s SFTP-enabled server and uses Amazon Cognito user pool to manage user access to the web application as well as for custom authentication with AWS Transfer Family. Amazon DynamoDB is used to store logical directory path mapping for AWS Transfer Family’s SFTP-enabled server.
Following is a high-level user request flow, as depicted by numbered-arrows in the preceding diagram:
- End users can interact with the web client front-end (Angular Single Page Application, SPA) hosted in Amazon S3 and served by Amazon CloudFront. Those users provide their Amazon Cognito credentials to log in.In addition, you can still use other SFTP clients such as FileZilla to directly interface with AWS Transfer Family SFTP-enabled endpoint using their Amazon Cognito credentials.
- The user request originating from the web application invokes backend APIs (login, log out, list files and directories, create and delete files, rename files) running Amazon ECS tasks in an Amazon ECS container with AWS Fargate.
- Fargate tasks interact with AWS Transfer Family’s SFTP-enabled endpoint and make an SFTP connection with user-provided Amazon Cognito credentials.
- Transfer Family passes these credentials to the API Gateway endpoint. The API is integrated with a Lambda function. The Transfer Family server then uses the API Gateway URL backed by the Lambda function to query Amazon Cognito and validate the end user’s credentials.
- Once the user is authenticated, the AWS Lambda function queries for the user’s details (such as logical mapping) from a DynamoDB table. The response from the API Gateway authorizes the end user and grants access to the Amazon S3 bucket.
Web Client for AWS Transfer Family is composed of three solution components. First is the web application or better known as the front-end application. Second is the backend API, and finally the AWS Transfer Family SFTP-enabled server.
The front end consists of a single-page web application hosted in an Amazon S3 bucket that deploys to Amazon CloudFront. Users of the solution access the web client via a gated login page in a browser, and use their Amazon Cognito credentials to access their files and directories. Web Client provides secure access to corporate files while keeping your user experience simple and intuitive. This results in your end user productivity increasing because they are focused more on their tasks and spend less time learning how to navigate new tools effectively.
The backend for this solution deploys an API to support core operations from the user interface such as uploading a file. The API is implemented as a Python Flask application, running on an Amazon ECS container with AWS Fargate behind an Application Load Balancer (ALB). The API receives HTTP requests from the front end and uses Paramiko Library to transform HTTP requests into SFTP operations executed against AWS Transfer Family’s SFTP-enabled server. The backend API does the majority of the heavy lifting while streamlining the implementation of a variety of operations outlined in the solution overview section of this post. With Web Client for AWS Transfer Family, you are able to perform your tasks on your corporate files without worrying about the scaling and security of the underlying infrastructure.
AWS Transfer Family SFTP-enabled server
This solution supports AWS Transfer Family SFTP-enabled server in this release. The authentication mechanism uses AWS Transfer Family’s custom identity provider integration with Amazon Cognito.
To authenticate into the application, the user provides a user name and password. During the login process, the user’s credentials are programmatically authenticated against an AWS Transfer Family endpoint. Once the user is authenticated, the Python application creates access and refresh JSON Web Token (JWT) tokens using Flask’s native framework. The application then stores the user’s name and password in the tokens in encrypted form using AWS Key Management Service (AWS KMS). Then, the JWT tokens are set in the access cookie and refresh cookie respectively. The tokens are used to authenticate subsequent requests from the client to the API. The API decrypts the JWT tokens using KMS to get the user name and password for that request to authenticate the operation.
In this post, we announce the availability of the open-source Web Client for AWS Transfer Family AWS solution, providing a simple and intuitive web browser interface to AWS Transfer Family’s SFTP-enabled servers. This capability makes it easy for end users and stakeholders to perform their file operations using AWS Transfer Family while removing the undifferentiated heavy lifting of managing commercial and open-source tools requiring time consuming troubleshooting across different devices and operating systems.