Creating a SFTP server in AWS

This is a hands on post where I show how to create a SFTP server in AWS using the S3 Transfer Family service. For security, the SFTP server only allows connections from a list of IPs and users in the SFTP server only have access to a limited number of files stored in a S3 bucket. Furthermore, the server runs in a dedicated VPC for better isolation of the cloud resources.

The infrastructure is done using CloudFormation JSON templates. Alternatives for building this infrastructure would be to use Terraform, or AWS cdk.

Networking infrastructure set up

The json below shows how to set up a dedicated VPC with a single subnet for the SFTP Server and make it publicly available.

Of course, it’s not a great idea to have your VPC available to the whole internet, thus it’s important to create firewall rules for limiting the access to the VPC only for known IPs. The firewall rules can be created by using AWS security groups and attaching it to the relevant resources within the VPC.

The SFTP server set up is shown below. A few resources in this Gist are not defined yet. More details about them follow below.

Make sure that the user has restricted access to the files in the S3 bucket. This could be in principle controlled by the policies attached to the SFTP Server Role, however, this is not possible if your server is used by more than one user. This is not a problem though, while creating users to the SFTP server you can restrict the access of each of the users for a subset of the files available in the S3 bucket.

The fully working CloudFormation template can be found here.