How do I configure my AWS Transfer for SFTP server to use an Amazon S3 bucket that's in another AWS account?

Last updated: 2019-08-22

I want my AWS Transfer for SFTP (AWS SFTP) server to access an Amazon Simple Storage Service (Amazon S3) bucket in another AWS account. How can I set up my server with cross-account access to the bucket?

Short Description

Follow these steps:

  1. Create an AWS Identity and Access Management (IAM) role with access to the bucket.
  2. Update the bucket policy to grant cross-account access to the IAM role.
  3. Create an SFTP server user that's configured with the IAM role.
  4. Verify that your SFTP server user can access the bucket.

Note: The AWS SFTP console shows you only S3 buckets in the same account. To use your SFTP server with a bucket in another account, you must use the AWS Command Line Interface (AWS CLI) or an AWS SDK.

Resolution

Create an IAM role with access to the bucket

Create an IAM role for your SFTP server users. For the role's IAM policy, use the following:

Note: Replace destination-awsexamplebucket with the name of the S3 bucket that you want your SFTP server to access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowListingBucket",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": [
        "arn:aws:s3:::destination-awsexamplebucket"
      ]
    },
    {
      "Sid": "AllowReadandWriteandDelete",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject*",
        "s3:GetObject*",
        "s3:DeleteObject*"
      ],
      "Resource": [
        "arn:aws:s3:::destination-awsexamplebucket/*"
      ]
    }
  ]
}

After you create the IAM role, get the role's ID by running the get-role command, similar to the following: 

$ aws iam get-role --role-name "ROLE_NAME"

You need the role ID for the next step.

Update the bucket policy to grant cross-account access to the IAM role

Modify the destination bucket's policy to grant access to the IAM role that you created. You can use a bucket policy similar to the following:

Note: Replace arn:aws:iam::123456789012:root with the Amazon Resource Name (ARN) of the account that your SFTP server belongs to. Replace destination-awsexamplebucket with the name of the bucket. Replace AROA1234567890 with the role ID of the IAM role that you created.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BucketPolicyForSFTP",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "s3:GetObject*",
        "s3:ListBucket",
        "s3:PutObject*",
        "s3:DeleteObject*"
      ],
      "Resource": [
        "arn:aws:s3:::destination-awsexamplebucket",
        "arn:aws:s3:::destination-awsexamplebucket/*"
      ],
      "Condition": {
        "StringLike": {
          "aws:userId": "AROA1234567890:*"
        }
      }
    }
  ]
}

The Condition element in this example policy is optional. Include the Condition element to grant bucket access only to the IAM role that you specify. Or, remove the element to grant access to all IAM roles and users from the account that your SFTP server belongs to.

Create an SFTP server user configured with the IAM role

1.    Generate SSH keys for your SFTP server.

2.    Get the server ID of your SFTP server.

3.    Run the create-user command using the AWS Command Line Interface (AWS CLI), similar to the following:

Note: For --server-id, enter the ID of your SFTP server. For --role, enter the ARN of the IAM role that you created. For --ssh-public-key-body, enter the contents of the .pub file that you generated when you created SSH keys.

$ aws transfer create-user --user-name "MY_SFTP_USER_NAME" --server-id "MY_SERVER_ID"  --role "MY_IAM_ROLE_ARN" --home-directory "/destination-bucket/MY_SFTP_USER_NAME" --ssh-public-key-body "CONTENTS_OF_MY_SSH_.PUB_FILE"

The command returns the server ID and the user that you created:

{
  "ServerId": "MY_SERVER_ID",
  "UserName": "MY_SFTP_USER_NAME"
}

Important: To limit the SFTP server user's access to only its home directory, create a scope-down policy in IAM. Then, edit the server user's properties to apply the scope-down policy that you created.

Verify that your SFTP server user can access the bucket

1.    Connect to your SFTP server as the user that you created. For example, run this OpenSSH command to connect to your server:

$ sftp -i mysftpuser MY_SFTP_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com

2.    As a test, list the home directory of the bucket. If you're using OpenSSH, run this command:

$ ls 

If the command returns the home directory, then your SFTP server user has cross-account access to the bucket.


CreateUser (AWS Transfer for SFTP User Guide)

Add a User (AWS Transfer for SFTP User Guide)

How Amazon S3 Authorizes a Request

Did this article help you?

Anything we could improve?


Need more help?