How do I configure my AWS Transfer Family server to use an Amazon S3 bucket that's in another AWS account?

Last updated: 2021-01-15

I want my AWS Transfer Family server to access an Amazon Simple Storage Service (Amazon S3) bucket in another AWS account. How can I set up my server with cross-account access to the bucket?

Short description

Follow these steps:

  1. Create an AWS Identity and Access Management (IAM) role with access to the bucket.
  2. Update the bucket policy to grant cross-account access to the IAM role.
  3. Create a Transfer Family server user that's configured with the IAM role.
  4. Verify that your Transfer Family server user can access the bucket.
  5. (Optional) Set S3 Object Ownership to bucket owner preferred.

Note: The AWS Transfer Family console shows you only S3 buckets in the same account. To use your Transfer Family server with a bucket in another account, you must use the AWS Command Line Interface (AWS CLI) or an AWS SDK.

Resolution

Create an IAM role with access to the bucket

Create an IAM role for your server users. For the role's IAM policy, use the following:

Note: Replace destination-DOC-EXAMPLE-BUCKET with the name of the S3 bucket that you want your server to access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingBucketReadandWriteandDelete",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetObject",
        "s3:DeleteObjectVersion",
        "s3:DeleteObject",
        "s3:GetObjectVersion",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*",
        "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET"
      ]
    }
  ]
}

After you create the IAM role, get the role's ID by running the get-role command, similar to the following:

$ aws iam get-role --role-name "ROLE_NAME"

You need the role ID for the next step.

Update the bucket policy to grant cross-account access to the IAM role

Modify the destination bucket's policy to grant access to the IAM role that you created. You can use a bucket policy similar to the following:

Note: Replace arn:aws:iam::123456789012:root with the Amazon Resource Name (ARN) of the account that your server belongs to. Replace destination-DOC-EXAMPLE-BUCKET with the name of the bucket. Replace AROA1234567890 with the role ID of the IAM role that you created.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketPolicyForTransferFamily",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetObject",
        "s3:DeleteObjectVersion",
        "s3:DeleteObject",
        "s3:GetObjectVersion",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "StringLike": {
          "aws:userId": "AROA1234567890:*"
        }
      }
    }
  ]
}

The Condition element in this example policy is optional. Include the Condition element to grant bucket access only to the IAM role that you specify. Or, remove the element to grant access to all IAM roles and users from the account that your server belongs to.

Create a Transfer Family server user configured with the IAM role

1.    Generate SSH keys for your Transfer Family server.

2.    Get the server ID of your server.

3.    Run the create-user command using the AWS CLI. For --server-id, enter the ID of your server. For --role, enter the ARN of the IAM role that you created. For --ssh-public-key-body, enter the contents of the .pub file that you generated when you created SSH keys.

$ aws transfer create-user --user-name "MY_SERVER_USER_NAME" --server-id "MY_SERVER_ID"  --role "MY_IAM_ROLE_ARN" --home-directory "/DOC-EXAMPLE-BUCKET/MY_SERVER_USER_NAME" --ssh-public-key-body "CONTENTS_OF_MY_SSH_.PUB_FILE"

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

The command returns the server ID and the user that you created:

{
  "ServerId": "MY_SERVER_ID",
  "UserName": "MY_SERVER_USER_NAME"
}

Important: To limit the server user's access to only its home directory, create a scope-down policy in IAM. Then, edit the server user's properties to apply the scope-down policy that you created.

Verify that your Transfer Family server user can access the bucket

1.    Connect to your server as the user that you created. For example, this OpenSSH command connects to an SFTP server:

$ sftp -i myserveruser MY_SERVER_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com

2.    As a test, list the home directory of the bucket. If you're using OpenSSH, run this command:

$ ls

If the command returns the home directory, then your server user has cross-account access to the bucket.

(Optional) Set S3 Object Ownership to bucket owner preferred

By default, an Amazon S3 object is owned by the AWS account that uploaded the object. This means that the objects uploaded to the destination bucket are owned by the source server's account by default.

To enable the destination account to automatically own objects from cross-account uploads, set the destination bucket's S3 Object Ownership to bucket owner preferred. After you do this, all new objects uploaded through the AWS Transfer Family server are automatically owned by the destination bucket's account.


CreateUser (AWS Transfer Family User Guide)

Add a user (AWS Transfer Family User Guide)

How Amazon S3 authorizes a request

Did this article help?


Do you need billing or technical support?