How to setup ftp/sftp on aws

amazon ec2amazon-web-servicessftp

I want to shares files with a client over the internet and am looking into ftp solutions on aws. I have tried aws sftp, but setting role policies is awkward and the service seems a bit costly for my basic use case. Is there an alternate way to setup an ftp server on EC2 or S3 that non-aws users can access. I want to add read permissions for different users for different subdirectories. I am using macosx.

I tried following instructions on https://stackoverflow.com/questions/7052875/setting-up-ftp-on-amazon-cloud-server but it is not clear how I can permission non-aws users to see my files and I couldn't get vsftpd working.

Is there a recommended/standard aws setup for sharing files with non aws users, preferably securely (sftp). I would be sharing updated files a few times a day every day with hundreds of users.

Best Answer

If you don't want to use AWS Transfer for SFTP, it is possible to set up your SFTP server directly from an EC2 instance.

If you follow correctly these instructions you should be able to create your SFTP users quite easily. In my specific case I used a micro T2 instance with Ubuntu 18.04

Let's install openSSH

sudo apt-get install openssh-server

You need to create a specific group where you will jail the users.

sudo groupadd sftpusers

Edit /etc/ssh/sshd_config using vim or nano
Comment out #Subsystem sftp /usr/lib/openssh/sftp-server
Then instead, add Subsystem sftp internal-sftp to allow SFTP connections into your server
Lastly, at the end of the file specify the new group configurations

Match group sftpusers
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        PasswordAuthentication yes

At this point your /etc/ssh/sshd_config should look like:

(...)

#Subsystem sftp /usr/lib/openssh/sftp-server

(...)

Subsystem sftp internal-sftp

Match group sftpusers
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        PasswordAuthentication yes

You need to restart the ssh service to apply the changes.

sudo service ssh restart

Now you should be set-up to create a new user.
Follow the different instructions of the command below and input the user password.

sudo adduser user1

Let's add our new user to the sftp group we created earlier.

sudo usermod -g sftpusers user1
sudo usermod -s /bin/nologin user1

At this point, the last thing we need to do is jail our user inside the /home/<user> directory.

sudo chown root:user1 /home/user1
sudo chmod 755 /home/user1

You can create new folders that belongs to the user using

sudo mkdir /home/user1/new_folder
sudo chown user1:user1 /home/user1/new_folder
sudo chmod 755 /home/user1/new_folder

I created this repo few days ago that automate this process

User Role should be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        },
        {
            "Sid": "HomeDirObjectAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObjectVersion",
                "s3:DeleteObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}

Trust relationship of User:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Home directory for your user should be /BUCKET_NAME

How to setup ftp/sftp on google cloud

GREAT question and I stumbled here. We tried the some google partner and it was going to be $100/month THEN had trouble even setting it up. THEN, we tried just centOS install and ran into some similar issues that you are reporting BUT then we found

https://couchdrop.io

and I did an nslookup so I could map sftp.{ourdomain}.com to their ftp server to look like our sftp and then they have a mapping to drop into google cloud which we will definitely be using. setup: FAST...it was nice

THOUGH, I have not setup the google cloud connector and we are just using their storage for now. we plan to connect it to google cloud later.

Best Answer

Related Solutions

Permission denied on AWS Transfer on SFTP server

User Role should be:

Trust relationship of User:

How to setup ftp/sftp on google cloud

Related Question