Easy SFTP Setup with AWS Transfer Family - Step by Step Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello travis people enrico here in this video i want to show you how to create an sftp server managed by aws using aws transfer family this video is a bit different from the others as i'm showing a service which is not serverless by nature but it can help you in different use cases when your customers ask you to set up an svp server for them if you want to see other similar content make sure to subscribe to our channel i publish a new video every thursday so from the aws transfer family page we can see that the service offers a fully managed sftp ftps and ftp service which lets you transfer file into and out and amazon s3 packet or an amazon efs which is the elastic file system the final architecture is gonna look like this one so we're gonna have a user who's gonna login into the sftp server using username and private key we're gonna add the public key on our sftp server and the sftp server is backed by an s3 packet which is gonna stay private for security reason the satp server will use an iem role to access the s3 packet so we can configure different roles in order to let the user just read the files or just upload the files or both of them depending on the use case so now i'm going to show you a step-by-step tutorial from ds3 packet creation to the sftp server creation so we go on the amazon stream menu we go on the create packet and i'm gonna call you i'm gonna call the packet my sftp uh example enrico bucket i'm going to put it in london since i'm in london and i'm going to leave everything defaults for local popular access and yeah all the options are default ones now i'm gonna go into the um into the packet i've just created and want to create sorry i want to create some folder like restricted folder so we're going to use this folder to show you how to use i am policy to restrict a user to only be able to see this folder and here i'm going to do like another public folder here where everyone can join everyone can see the files sorry so now that we have the s3 bucket we go on the transfer family service which is a transfer family we go here and we click on create server so here we choose the protocol for this example i'm going to use sftp server we choose an identity provider so in this case we're going to use service manage basically the users will be managed by the service here you can use nebraska service which is the other option are aws direct service which is like you use another manage admin service or use a custom provider i'm going to stick with the service managed and i want the esftp server to be public accessible so i'm not not using the vpc hosted option as a custom hostname for now i'm going to keep the default one on the custom host name option you can change and use like a root 53 dns or another dns service let's say using namecheap as your dns provider you can set the record here so i'm going to stick with this domain i want to use an s3 bucket that's the domain of the http server in this step i need to create a new role in order to the to let the sat server create logs into cloudwatch and then i'm gonna leave everything default so next here's like a summary and i'm gonna click create server so it should take like just a couple of minutes in the meantime i can you can see this state is starting but i can already join and see what the server looks like so we should see the domain somewhere yeah so the end point is this one as i told you you can depend on the type of an endpoint you want to configure in this case i'm going to use the default mod but you can use a custom hostname so now we only have the sftp server running with the s3 packet as a as the source let's say what we want to do though is to access the sap server using some user in order to add the user you have to go here on the menu users and you can click add users and here i'm gonna call it like uh enrico default we need to configure a role in order to the user to be able to read from s3 so we have this server running but we need users in order to be able to log in so we're gonna add the user from here we're gonna call it like enrico default user and the next step is you need to create a role so this role is needed as you can see for amazon s3 access so i don't have a role right now so i'm gonna need to create a role and a policy as well so i'm going to the i am i am management console so from the iem rule menu i need to select the transfer service then i'm going to permission i need to create a policy so the policy is something that i did before so i'm gonna choose a service actually i'm gonna paste the json file since i have it so there are two actions needed the list packet action and the get backed location so the satp server can find the packet name inside my inside my aws profile in this case the uh s3 server is my ctp example enrico and then the next action is to upload the read write s3 so it's put offset get object delete object and all the version as well in this case i need to do it for all the files inside the s3 bucket so next one is tags review and i'm gonna create a sftp read write policy and i'm gonna copy paste in the description i'm gonna create a policy and now i'm gonna associate the policy to the role okay so the voice is being created here i can do [Music] customer managed and then search and we have the policy here so i'm gonna associate the policy next review role name is sftp access s3 i'm going to hit creator wall and now i can go back to the menu on the ido restaurant hit the refresh button a few times so you sure we have it here i'm gonna do sftp okay we have it cool so this is the role that the sap server will use in order to access s3 for us and then here we can decide to create a home directory which is which means when i log into the sftp server it is the first directory that i see and if we ask if i select my um s3 packet i can use the i can actually go on the s3 and use the restrictor folder if i want to restrict the ssd server to only show this folder so if i do like this i can remove the trailing slash and i can hit restricted in this case the user that is going to login into the sap server will log into the bucket and then on the restricted folder and here i am selecting restrictors so it's not possible for the user to do something like navigate back and go to public folder in this case the user that we have configured can only access the files inside this bucket within this directory so restricted i'm gonna hit on the policy auto generated based on home folder and here i show you the um is showing you the policy credit so it's like based on on your home bucket which is gonna get from the one we configured and it's gonna use home folder and home folder has the value and it's basically allow you to put object object only on the home directory that we have selected here you can add the ssh public keys i'm gonna do that later and then i'm gonna click add user okay okay the user has been created so now we have the http server running we have the user configured and let's add also an extra layer of security by adding an ssh public key on the user so all users with the private key that relates to this ssh public key can login into the server so we have to create the public and private key couple and we're gonna do it with the um so first time this directory okay and then i'm gonna use this um ssh kitchen minus the rsa so here i need to tell him where i want my keys to be saved and i'm gonna use the order slash the name of the key so i'm gonna use sftp no passphrase and here i have the um i have the keys okay so sftp is the private key hftp pop is the public key so if i do a cut on the pub one i should okay yes i need to add this key into the public key here so let's do that ssh add key and now i have i have associated my public key with my private key next step is to use like any sftp client program i'm going to use the cyberduck in order to login into the server so first thing we need the server url so the server endpoint is this one and from here we need to add a new connection so open connection uh server it's gonna be this one and it's gonna be a sftp protocol so okay server it is one port is 22 username is [Music] the name of the user so enrico default and then we need to specify the private key so we need to choose it here users uh let me find this private key okay it's here sftp product key then if i click connect it should connect to the sap server if everything is noted allow let's see authenticating yes i am into the es3 bucket i added the file before the demo so the file is show you is this one dodgy mem and you can see the file here i can start the satp connection and download the file as well continue okay all kind of permissions and i have the file saved let's see if it worked yes so if i go here actually downloads and i have it perfect so the connection was uh worked what i want to show you is that the as you can see i don't see any other so i can go like backwards the only folder i see is this one the root folder i can't go on the main folder of the s3 bucket because i restricted the access to the imuser so it's only seeing the content inside the restricted folder and that's all we have created an sftp server in less than 10 minutes with a user authenticated with a public and private key and we were able to restrict the uh permission also to a folder let me know if you use this uh edwards transfer family service before if you have any questions or comments or if you want to see another use case with this service or any other adobe service that you may want to use in the future

Info

Channel: Enrico Portolan

Views: 746

Rating: undefined out of 5

Keywords: aws, serverless, cloud

Id: 3_HHSnoFsoM

Channel Id: undefined

Length: 12min 55sec (775 seconds)

Published: Wed Oct 13 2021