├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── images ├── transfer0.png ├── transfer1.png ├── transfer10.png ├── transfer11.png ├── transfer12.png ├── transfer13.png ├── transfer14.png ├── transfer15.png ├── transfer16.png ├── transfer17.png ├── transfer18.png ├── transfer19.png ├── transfer2.png ├── transfer20.png ├── transfer21.png ├── transfer22.png ├── transfer23.png ├── transfer24.png ├── transfer25.png ├── transfer26.png ├── transfer27.png ├── transfer28.png ├── transfer29.png ├── transfer3.png ├── transfer30.png ├── transfer31.png ├── transfer32.png ├── transfer33.png ├── transfer34.png ├── transfer35.png ├── transfer4.png ├── transfer5.png ├── transfer6.png ├── transfer7.png ├── transfer8.png └── transfer9.png ├── module1 └── README.md ├── module2 └── README.md ├── module3 └── README.md ├── module4 └── README.md ├── optionalmodule └── README.md └── templates └── sftp-workshop-endpoint.yaml /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer Family** 2 | 3 | ### Using IP whitelisting to secure your AWS Transfer for SFTP servers 4 | 5 | 6 | 7 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 8 | This sample code is made available under the MIT-0 license. See the LICENSE file. 9 | 10 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 11 | 12 | --- 13 | 14 | ## Workshop scenario 15 | 16 | In your application workflow, it is necessary to receive files from external entities for exchanging sensitive information such as PHI (Personal Health Information) or financial records. It is critical that these transfers be secure and encrypted. 17 | 18 | After doing some research, you have decided to use [AWS Transfer Family](https://aws.amazon.com/transfer) to receive this data from your business partners via SFTP, which will allow this data to flow through an encrypted transport mechanism. In addition, your regulatory and/or Information Security guidelines dictate that only known partners are able to reach the endpoint, and this is controlled through the whitelisting of IPs. Many of your partner entities face similar regulation, and need the ability to control outbound SFTP to a limited list of public IPs. 19 | 20 | This workshop will walk you through this scenario, using CloudFormation templates to deploy resources and the AWS Management console to configure those resources accordingly. As shown in the architecture diagram below, a VPC, two Elastic IPs, an Amazon S3 bucket, and an AWS Transfer for SFTP endpoint will be deployed as a part of this workshop. 21 | 22 | ![](images/transfer0.png) 23 | 24 | ## Prerequisites 25 | 26 | #### AWS Account 27 | 28 | In order to complete this workshop, you will need an AWS account with rights to create an Amazon VPC, AWS CloudFormation stacks, and Amazon Transfer for SFTP servers in your selected region. 29 | 30 | This workshop includes services that are not in the free tier, and may generate charges. It is recommended that you follow the cleanup instructions once you have completed the workshop to remove all deployed resources and limit ongoing costs to your AWS account. 31 | 32 | #### Software 33 | 34 | - **Internet Browser** – It is recommended that you use the latest version of Chrome or Firefox for this workshop. 35 | - **SFTP Client** - You will need an SFTP client for testing 36 | 37 | ## Workshop Modules 38 | 39 | This workshop consists of the following five modules: 40 | 41 | - **Module 1** - Complete Setup 42 | - **Module 2** - Test Your Setup with a Basic User 43 | - **Module 3** - Protect Your Data Access with Logical Directories 44 | - **Module 4** - Clean Up 45 | - **Optional Module 5** - Using VPC Peering to Allow Internal IP Access 46 | 47 | To get started, go to [Module 1](/module1/README.md). 48 | -------------------------------------------------------------------------------- /images/transfer0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer0.png -------------------------------------------------------------------------------- /images/transfer1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer1.png -------------------------------------------------------------------------------- /images/transfer10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer10.png -------------------------------------------------------------------------------- /images/transfer11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer11.png -------------------------------------------------------------------------------- /images/transfer12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer12.png -------------------------------------------------------------------------------- /images/transfer13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer13.png -------------------------------------------------------------------------------- /images/transfer14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer14.png -------------------------------------------------------------------------------- /images/transfer15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer15.png -------------------------------------------------------------------------------- /images/transfer16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer16.png -------------------------------------------------------------------------------- /images/transfer17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer17.png -------------------------------------------------------------------------------- /images/transfer18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer18.png -------------------------------------------------------------------------------- /images/transfer19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer19.png -------------------------------------------------------------------------------- /images/transfer2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer2.png -------------------------------------------------------------------------------- /images/transfer20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer20.png -------------------------------------------------------------------------------- /images/transfer21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer21.png -------------------------------------------------------------------------------- /images/transfer22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer22.png -------------------------------------------------------------------------------- /images/transfer23.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer23.png -------------------------------------------------------------------------------- /images/transfer24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer24.png -------------------------------------------------------------------------------- /images/transfer25.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer25.png -------------------------------------------------------------------------------- /images/transfer26.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer26.png -------------------------------------------------------------------------------- /images/transfer27.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer27.png -------------------------------------------------------------------------------- /images/transfer28.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer28.png -------------------------------------------------------------------------------- /images/transfer29.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer29.png -------------------------------------------------------------------------------- /images/transfer3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer3.png -------------------------------------------------------------------------------- /images/transfer30.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer30.png -------------------------------------------------------------------------------- /images/transfer31.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer31.png -------------------------------------------------------------------------------- /images/transfer32.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer32.png -------------------------------------------------------------------------------- /images/transfer33.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer33.png -------------------------------------------------------------------------------- /images/transfer34.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer34.png -------------------------------------------------------------------------------- /images/transfer35.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer35.png -------------------------------------------------------------------------------- /images/transfer4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer4.png -------------------------------------------------------------------------------- /images/transfer5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer5.png -------------------------------------------------------------------------------- /images/transfer6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer6.png -------------------------------------------------------------------------------- /images/transfer7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer7.png -------------------------------------------------------------------------------- /images/transfer8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer8.png -------------------------------------------------------------------------------- /images/transfer9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-transfer-sftp-ip-whitelisting-workshop/573e3d67a044f298954b787df1aabf966078bd2d/images/transfer9.png -------------------------------------------------------------------------------- /module1/README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer Family** 2 | 3 | ### Using IP whitelisting and logical directories to secure your AWS Transfer Family servers 4 | 5 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 6 | This sample code is made available under the MIT-0 license. See the LICENSE file. 7 | 8 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 9 | 10 | --- 11 | 12 | 13 | 14 | # Module 1 15 | ## Deploy resources via CloudFormation 16 | 17 | In this module, you will use CloudFormation scripts to deploy resources in an AWS region. This CloudFormation template will deploy a new VPC in the chosen region with a private CIDR block, two subnets within that CIDR block, an Internet Gateway for routing public internet traffic, and two Elastic IPs for hosting your AWS SFTP endpoint. Additionally, the cloudformation template will deploy two **Amazon S3** buckets, and three **IAM** roles and policies. 18 | 19 | ## Module Steps 20 | 21 | #### 1. Deploy AWS resources in your desired region 22 | 23 | 1. Click one of the launch links in the table below to deploy the required resources using CloudFormation. To avoid errors during deployment, select a region in which you have previously created AWS resources. 24 | 25 | | **Region Code** | **Region Name** | **Launch** | 26 | | --- | --- | --- | 27 | | us-west-1 | US West (N. California) | [Launch in us-west-1](https://console.aws.amazon.com/cloudformation/home?region=us-west-1#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 28 | | us-west-2 | US West (Oregon) | [Launch in us-west-2](https://console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 29 | | us-east-1 | US East (N. Virginia) | [Launch in us-east-1](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 30 | | us-east-2 | US East (Ohio) | [Launch in us-east-2](https://console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 31 | | eu-west-1 | Ireland | [Launch in eu-west-1](https://console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 32 | | eu-central-1 | Frankfurt | [Launch in eu-central-1](https://console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/new?stackName=AWSTransferWorkshopOct2020&templateURL=https://awsstorageblogresources.s3.us-west-2.amazonaws.com/russboyertransferfamilyblog/sftp-workshop-endpoint.yaml) | 33 | 34 | 2. Click **Next** on the **Create Stack** page 35 | 36 | ![](../images/transfer19.png) 37 | 38 | 3. Click **Next** on the **Specify stack details** page (there are no stack parameters) 39 | 4. Click **Next** on the **Configure stack options** page (accept all defaults) 40 | 5. On the Review page, scroll to the bottom and check the box next to **I Acknowledge...** click **Create stack** 41 | 42 | ![](../images/transfer22.png) 43 | 44 | The template allocates two Elastic IP addresses while creating a VPC, two subnets, and an Internet Gateway. AWS SFTP uses a Multi-AZ architecture to achieve high availability. By creating two subnets and assigning an Elastic IP address to each, your SFTP service is able to withstand the loss of an Availability Zone. 45 | 46 | **Note:** While this solution uses Elastic IP addresses, you can also use EC2 BYOIP to import your own static IP addresses. The BYOIP feature is particularly useful when you are migrating from an existing SFTP server and you would prefer to maintain the same endpoint IP addresses. 47 | 48 | Once the AWS CloudFormation stack has been created, you see will see similar output on the outputs tab: 49 | 50 | ![](../images/transfer1.png) 51 | 52 | You can see the ID of the VPC, the Availability Zones the subnets were created in, as well as the Elastic IP addresses. With these resources created, you can now proceed to create your AWS SFTP server. 53 | 54 | First, go to the [AWS Transfer Management Console](https://console.aws.amazon.com/transfer/) and choose **Create Server**. On the **Choose protocols** page, choose SFTP, and click **Next** 55 | 56 | ![](../images/transfer23.png) 57 | 58 | On the **Choose an identity provider** page, choose **Service managed** and click **Next** 59 | 60 | ![](../images/transfer24.png) 61 | 62 | Under **Endpoint Configuration**, select **VPC hosted** for a VPC hosted endpoint. In this exercise, you are creating an Internet Facing server, so select that option. From the VPC drop-down menu, select the VPC with the ID you noted from the outputs of your AWS CloudFormation template. Optionally, you can assign a **Custom hostname** that can be used by your clients to connect to your endpoint. In this example, we will use the service supplied hostname (details in the next section on how this relates to your Elastic IPs). 63 | 64 | ![](../images/transfer2.png) 65 | 66 | Once you have selected your VPC, you see the **Availability Zones** you may choose include the ones your AWS CloudFormation template selected to create your subnets. Select each of those, then select your 67 | **subnet ID** in the left drop-down menu and one of your **Elastic IPs** in the right drop-down menu for each Availability Zone: 68 | 69 | ![](../images/transfer3.png) 70 | 71 | **Note:** The service lets you choose up to three **Availability Zones** and it is recommended that you choose more than one **Availability Zone** for HA purposes. In this example, we are using two **Availability Zones**. 72 | 73 | On the **Configure additional details** page, leave all the settings at default, and click **Next** 74 | 75 | On the **Review and create** page, choose the **Create server** button. 76 | 77 | ![](../images/transfer26.png) 78 | 79 | It takes a few minutes to create your SFTP server. When the creation is complete, and the server status shows as **Online**, select the new server to get more information. 80 | 81 | ![](../images/transfer4.png) 82 | 83 | In the preceding screenshot, you can see two key resources that were automatically created by the service. 84 | 85 | First, because you chose to deploy the server in your VPC, a VPC endpoint was automatically created by the service (as shown above under “**Endpoint details**”). All network traffic to and from the SFTP server passes through this endpoint. You edit the **Security Group** for this endpoint to whitelist SFTP clients. 86 | 87 | Second, because you chose to make your server internet facing, a DNS name was supplied for your server. This DNS name is the hostname that SFTP clients use to access the server (as shown under “**Endpoint**”). AWS SFTP automatically created an alias record for the DNS name of the form “.transfer..amazonaws.com.” An ANAME record was created that includes the two Elastic IP addresses you assigned to the server. The service Console provides you the option to assign your custom domain as the hostname your clients can use to access your endpoint using **Route 53 CNAME**. 88 | 89 | ## Module Summary 90 | 91 | In this module, you deployed all of the resources necessary to complete the configuration of a **VPC hosted endpoint** of an **AWS Transfer for SFTP server**. Next, in **Module 2**, you will be creating a basic user and testing your newly created endpoint. 92 | 93 | Go to [Module 2](/module2/README.md). -------------------------------------------------------------------------------- /module2/README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer Family** 2 | 3 | ### Using IP whitelisting and logical directories to secure your AWS Transfer Family servers 4 | 5 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 6 | This sample code is made available under the MIT-0 license. See the LICENSE file. 7 | 8 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 9 | 10 | --- 11 | 12 | 13 | 14 | # Module 2 15 | ## Testing your server whitelisting configuration 16 | 17 | In this module, you will test access to your SFTP server either via your terminal on Linux or MacOS systems, or by using a third-party tool such as Cyberduck, WinSCP, or Filezilla. Before attempting to connect to the server, you must first return to the AWS SFTP console page for your server to [create a user account](https://docs.aws.amazon.com/transfer/latest/userguide/getting-started-add-user.html). 18 | 19 | ## Module Steps 20 | 21 | #### Create a User Account 22 | 23 | In order to test our server, we will need to create a user that can log in to the server. In this example, we will be using Service-managed users, which are administered inside of the **AWS Transfer** console. 24 | 25 | **Note** Our example uses a Service-managed identity provider for the SFTP server, which authenticates users using SSH keys. **AWS Transfer Family** also supports custom authentication methods, which allows you to do [password authentication](https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/), as well as authentication via [3rd party providers](https://aws.amazon.com/blogs/storage/using-okta-as-an-identity-provider-with-aws-transfer-for-sftp/). 26 | 27 | From the **AWS Transfer** [Console](https://console.aws.amazon.com/transfer/) 28 | 29 | Select your Transfer server by checking the box next to it, and click **Add user** 30 | 31 | ![](../images/transfer11.png) 32 | 33 | On the Add user page, fill in a Username (here we use **standard** as the username), and select the *AWSTransferWorkshopOct2020-s3Bucket1IamRole* role that the cloudformation template created in Module 1. For now we will not be using a Scope down policy, so leave None checked. 34 | 35 | ![](../images/transfer12.png) 36 | 37 | For the bucket, select the bucket *transferworkshop1-* in your cloudformation template. In the blank for SSH public keys, you will need to enter the public SSH key portion of an SSH key pair that you have access to. For more information on SSH key pairs, including how to generate one, you can [follow this link.](https://docs.aws.amazon.com/transfer/latest/userguide/key-management.html#sshkeygen) For the remaining options, you can leave the defaults, and click **Add** 38 | 39 | ![](../images/transfer13.png) 40 | 41 | #### Test your Connection 42 | 43 | Once you’ve created a user account, you’re able to attempt to connect to your SFTP server using the private key that corresponds with the public key used during user creation. Using the hostname of your SFTP server, try to connect using your preferred SFTP client. At this point, you should experience a timeout, such as the one shown in the following screenshot. This is because your IP address has not been configured to reach the **VPC endpoint** over the appropriate port. 44 | 45 | ![](../images/transfer8.png) 46 | 47 | Return to the settings page in the AWS Management Console for the Security Group associated with your VPC. On the settings page, choose the **Inbound Rules** tab, and choose **Edit inbound rules**. Select **SSH** as the **Type** - this automatically selects the appropriate protocol and port range for SFTP. For the purposes of this exercise, select **My IP** under **Source type** - this automatically populates the IP address from which you logged into the console. Scroll to the bottom, and choose **Save rules**: 48 | 49 | ![](../images/transfer9.png) 50 | 51 | You will now see an inbound rule in your security group that gives your IP address access to your VPC via port 22, which gives you access to your SFTP server. 52 | 53 | Now that this rule is in place, attempt to connect to your session again from your SFTP client. As shown in the following screenshot, you will need to accept the server key since it is your first time connecting to this server. 54 | 55 | ![](../images/transfer14.png) 56 | 57 | Optionally you can upload a file using your SFTP client: 58 | 59 | ![](../images/transfer10.png) 60 | 61 | And then view it in the **Amazon S3** console 62 | 63 | ![](../images/transfer27.png) 64 | 65 | ## Module Summary 66 | 67 | In this module, you tested your ability to reach your AWS Transfer for SFTP server endpoint both with and without your IP address whitelisted. This demonstrates that non whitelisted traffic does not, in fact, actually even reach your AWS SFTP endpoint. 68 | 69 | You may have noticed in this module, however, that the user that we created has access to the entire S3 bucket contents, and all subfolders. In a real world scenario, organizations require the ability to grant select users access to particular folders. 70 | 71 | In the next module, we will leverage **logical directories** to demonstrate how to accomplish user separation and selective folder access. 72 | 73 | Go to [Module 3](/module3/README.md). 74 | -------------------------------------------------------------------------------- /module3/README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer Family** 2 | 3 | ### Using IP whitelisting and logical directories to secure your AWS Transfer Family servers 4 | 5 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 6 | This sample code is made available under the MIT-0 license. See the LICENSE file. 7 | 8 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 9 | 10 | --- 11 | 12 | 13 | 14 | # Module 3 15 | ## Creating organizational users powered by Logical Directories 16 | 17 | In this module, you will create a basic set of users to emulate how an organization might manage multiple user access while restricting each user to a specific directory and set of directories. Additionally, we will highlight how to create a user that has access to folders across multiple buckets, in order to ensure additional security and separation. 18 | 19 | ## Module Steps 20 | 21 | #### Create a User Account 22 | 23 | In order to create a Service managed user that has access limited to multiple specific directories, we will need to use the command line. For the purposes of this walk through, we will use a bash script to create each user, and examples will be provided below. Before scripting against the **AWS cli**, It would be a good idea to learn out to use an access key to cache your credentials on the server from which you wish to run your scripts. Follow [this link](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) to learn more about **AWS Indentity and Access Management (IAM)** and managing and using access keys. 24 | 25 | For the purposes of this workshop, we will be adding users that have access to various **Logical Directories** which map to specific folders in our **Amazon S3** buckets. 26 | 27 | The following table lays out the structure we will be building for our organization: 28 | 29 | | **Username** | **Role** | **Bucket 1 Folders** | **Bucket 2 Folders** | 30 | | --- | --- | --- | --- | 31 | | user1 | External End User | /user1, /common | --- | 32 | | user2 | External End User | /user2, /common | --- | 33 | | regulator | External Super User | --- | /rawdata, /processed | 34 | | admin | Internal Super User | /user1, /user2, /common | /rawdata, /processed | 35 | 36 | 37 | Before we create the user accounts, we should create the directories listed in the table above inside of **Amazon S3** buckets. From the **Amazon S3** console, click on *awstransferworkshopbucket1*, and inside the bucket click **Create folder**. Supply the folder name for each folder in each bucket in the table above, and for each one click **Save** 38 | 39 | ![](../images/transfer28.png) 40 | 41 | In order to create the user accounts, from the command line of a linux server we can execute the following bash scripts, substituting values from your environment in place of the *variables*. These scripts are designed to use the name of the transfer server as a supplied variable on execution, which can be retrieved from your **AWS Transfer Family** console page 42 | 43 | #### For user1 44 | 45 | 46 | #! /bin/sh 47 | 48 | role_arn=\`aws iam list-roles | grep -e "Arn.*AWSTransferWorkshopOct2020-s3Bucket1IamRole-6CA6GL68EO5S" | awk '{print $2}' | sed -e 's/[,"]//g'\` 49 | 50 | server_id=$1 51 | 52 | pub_key=\`cat demokey.pub\` 53 | 54 | mapping_1='Entry=/user1,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/user1' 55 | mapping_2='Entry=/user1temp,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/common' 56 | 57 | aws transfer create-user --user-name user1 --server-id $server_id --role $role_arn --home-directory-type LOGICAL --home-directory-mappings $mapping_1 $mapping_2 --region us-east-2 58 | 59 | aws transfer import-ssh-public-key --user-name user1 --server-id $server_id --ssh-public-key-body "$pub_key" --region us-east-2 60 | 61 | 62 | You should expect to see some output if the script was successful 63 | 64 | ![](../images/transfer29.png) 65 | 66 | #### Test your Connection 67 | 68 | Once you’ve created the user1 account, you’re able to connect to your SFTP server using the private key that corresponds with the public key used during user creation. Using the hostname of your SFTP server, try to connect using your preferred SFTP client. As user1, try to upload some files to the subdirectories you see once you log in. 69 | 70 | ![](../images/transfer15.png) 71 | 72 | Also, try viewing those uploads in the **Amazon S3** console. 73 | 74 | ![](../images/transfer16.png) 75 | 76 | #### For user2 77 | 78 | 79 | #! /bin/sh 80 | 81 | role_arn=\`aws iam list-roles | grep -e "Arn.*AWSTransferWorkshopOct2020-s3Bucket1IamRole-6CA6GL68EO5S" | awk '{print $2}' | sed -e 's/[,"]//g'` 82 | 83 | server_id=$1 84 | 85 | pub_key=\`cat demokey.pub` 86 | 87 | mapping_1='Entry=/user2,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/user2' 88 | mapping_2='Entry=/user2temp,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/common' 89 | 90 | aws transfer create-user --user-name user2 --server-id $server_id --role $role_arn --home-directory-type LOGICAL --home-directory-mappings $mapping_1 $mapping_2 --region us-east-2 91 | 92 | aws transfer import-ssh-public-key --user-name user2 --server-id $server_id --ssh-public-key-body "$pub_key" --region us-east-2 93 | 94 | 95 | #### Test your Connection 96 | 97 | Once you’ve created the user2 account, continue to test between each user, experimenting with what directories can be viewed and accessed on login. An important here is that the folder /common in the first bucket is common across both users, but the **Logical Directory** for each maps to a different folder name. This allows us to obscure the real name of the folder from the user logging in. In this case, this folder represents an area where different users downstream can share files with each other, without having direct **Amazon S3** Bucket access, or needing the ability to edit permissions. 98 | 99 | ![](../images/transfer30.png) 100 | 101 | #### For regulator 102 | 103 | The code for creating the regulator access is slightly different, since both folders the regulator needs access to are in the 2nd bucket. 104 | 105 | 106 | #! /bin/sh 107 | 108 | role_arn=\`aws iam list-roles | grep -e "Arn.*AWSTransferWorkshopOct2020-s3Bucket2IamRole-1GEPCONZOVSF" | awk '{print $2}' | sed -e 's/[,"]//g'` 109 | 110 | server_id=$1 111 | 112 | pub_key=\`cat demokey.pub` 113 | 114 | mapping_1='Entry=/rawdata,Target=/awstransferworkshopbucket2-4be953a0-04e0-11eb-a8b7-0656208217bc/rawdata' 115 | mapping_2='Entry=/processed,Target=/awstransferworkshopbucket2-4be953a0-04e0-11eb-a8b7-0656208217bc/processed' 116 | 117 | aws transfer create-user --user-name regulator --server-id $server_id --role $role_arn --home-directory-type LOGICAL --home-directory-mappings $mapping_1 $mapping_2 --region us-east-2 118 | 119 | aws transfer import-ssh-public-key --user-name regulator --server-id $server_id --ssh-public-key-body "$pub_key" --region us-east-2 120 | 121 | 122 | #### Test your Connection 123 | 124 | Once you’ve created the regulator account, continue to test between each user, experimenting with what directories can be viewed and accessed on login. 125 | 126 | #### For admin 127 | 128 | The code for creating the admin account for full access is again different, but in this section special attention should be given to a couple of things: 129 | 130 | 1. This user has access to folders in both buckets, and will need a role that allows for this access. 131 | 2. This user has full access to all folders, and needs several more mappings parameters. 132 | 133 | 134 | #! /bin/sh 135 | 136 | role_arn=\`aws iam list-roles | grep -e "Arn.*AWSTransferWorkshopOct2020-s3BucketallIamRole-17L5BZ9RNZNO1" | awk '{print $2}' | sed -e 's/[,"]//g'` 137 | 138 | server_id=$1 139 | 140 | pub_key=\`cat demokey.pub` 141 | 142 | mapping_1='Entry=/user1,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/user1' 143 | mapping_2='Entry=/user2,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/user2' 144 | mapping_3='Entry=/common,Target=/awstransferworkshopbucket1-4be953a0-04e0-11eb-a8b7-0656208217bc/common' 145 | mapping_4='Entry=/rawdata,Target=/awstransferworkshopbucket2-4be953a0-04e0-11eb-a8b7-0656208217bc/rawdata' 146 | mapping_5='Entry=/processed,Target=/awstransferworkshopbucket2-4be953a0-04e0-11eb-a8b7-0656208217bc/processed' 147 | 148 | aws transfer create-user --user-name admin --server-id $server_id --role $role_arn --home-directory-type LOGICAL --home-directory-mappings $mapping_1 $mapping_2 $mapping_3 $mapping_4 $mapping_5 --region us-east-2 149 | 150 | aws transfer import-ssh-public-key --user-name admin --server-id $server_id --ssh-public-key-body "$pub_key" --region us-east-2 151 | 152 | 153 | #### Test your Connection 154 | 155 | Once you’ve created the admin account, continue to test between each user, experimenting with what directories can be viewed and accessed on login. This user represents a super user, and as such has access to all the directories. Additionally, this demonstrates the concept of spanning **Logical Directories** across multiple **Amazon S3** buckets. 156 | 157 | ![](../images/transfer31.png) 158 | 159 | ## Module Summary 160 | 161 | In this module, you created several users to represent some common organizational structures encountered in real world workloads. This should give you a good idea of how to control user access across multiple folders, which may be common amongst some users, as well as multiple buckets. As you walked through creating these users, hopefully you observed how easy it is to create a fully managed **AWS Transfer Family** server. 162 | 163 | In the next module, we will be cleaning up after today's workshop. 164 | 165 | Go to [Module 4](/module4/README.md). 166 | -------------------------------------------------------------------------------- /module4/README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer Family** 2 | 3 | ### Using IP whitelisting and logical directories to secure your AWS Transfer Family servers 4 | 5 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 6 | This sample code is made available under the MIT-0 license. See the LICENSE file. 7 | 8 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 9 | 10 | --- 11 | 12 | 13 | 14 | # Module 4 15 | ## Cleaning up after this workshop 16 | 17 | In this module, you will clean up after completing this workshop. Cleaning up is critical, as components of this workshop fall outside of the free tier, and additional charges will accrue if you do not delete the resources created while completing the workshop. 18 | 19 | ## Module Steps 20 | 21 | #### Cleaning Up 22 | 23 | The first thing we will clean up is our **Amazon S3** bucket contents. This is a prerequisite step, as we will not be able to delete our buckets until they are empty. From the **Amazon S3** console page, click the name of your first bucket, *awstransferworkshopbucket1* and once in the bucket, check the box to check all objects and folders (next to **Name**). From the **Actions** dropdown, select delete, then choose **Delete** 24 | 25 | ![](../images/transfer32.png) 26 | 27 | The next thing we will want to delete is our **AWS Transfer** server itself, but first we will need to stop it. From the **Amazon Transfer Family** console page, check the box next to your server, and from the **Actions** dropdown, choose **Stop** 28 | 29 | ![](../images/transfer33.png) 30 | 31 | Once the **AWS Transfer** server is **Offline**, you can check the same box, and from the **Actions** dropdown select Delete, type *delete* to confirm, and choose **Delete** 32 | 33 | ![](../images/transfer34.png) 34 | 35 | Additionally, as a last step, you will want to delete the environment you created with your **CloudFormation** template. To do this, return to the console page for **CloudFormation**, and click on your **Stack name**, then choose the **Resources** tab. At the top of the page, choose **Delete**, and on the pop up choose **Delete stack** 36 | 37 | ![](../images/transfer35.png) 38 | 39 | The **CloudFormation** created resources will be deleted, and ultimately the **Stack** will no longer be visible in the console. This may require a refresh of the page. 40 | 41 | ## Module Summary 42 | 43 | In this module, we cleaned up after this workshop to ensure no additional charges are incurred. 44 | 45 | ### Workshop Summary 46 | 47 | In this workshop, we showed you how to use **VPC Security Groups** to whitelist access to your **AWS Transfer Family** servers. First we deployed an **AWS CloudFormation template** to configure the needed network elements to configure the sample architecture. Next, we created a new **AWS Transfer server** with an endpoint hosted inside a **VPC**. Then, we demonstrated how to use the **Security Group** associated with that VPC to whitelist access to your server endpoint only to specific IPs, and optionally to peered VPCs inside or outside your account. 48 | 49 | Next we used **Logical Directories** to create an organization of different users who all had slightly different access, including one user that had access to folders in multiple **Amazon S3** buckets. 50 | 51 | Using these features, you can limit **AWS Transfer for SFTP** endpoint access to the IPs of your trusted customers and business partners. This adds an additional layer of security, and in addition to the authentication mechanisms supported by **AWS SFTP**, prevents unknown or untrusted entities from even reaching the endpoint. Additionally, a major benefit to hosting the endpoint with two Elastic IPs is that it gives your customers the ability to filter SFTP outbound when their firewalls don’t support URL-based filtering. These benefits can be helpful when working with tightly regulated data such as financial records or Personal Health Information (PHI). 52 | 53 | To learn more about **AWS Transfer for SFTP**, check out the following links: 54 | 55 | * [AWS Transfer for SFTP product page](https://aws.amazon.com/sftp/) 56 | * [AWS Transfer for SFTP documentation](https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-for-sftp.html) 57 | 58 | Go to [Workshop Home](/README.md). 59 | -------------------------------------------------------------------------------- /optionalmodule/README.md: -------------------------------------------------------------------------------- 1 | # **AWS Transfer for SFTP** 2 | 3 | ### Using IP whitelisting to secure your AWS Transfer for SFTP servers 4 | 5 | © 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. 6 | This sample code is made available under the MIT-0 license. See the LICENSE file. 7 | 8 | Errors or corrections? Contact [russboye@amazon.com](mailto:russboye@amazon.com). 9 | 10 | --- 11 | 12 | 13 | 14 | # Optional Module 5 15 | ## Optional setup for private VPC access 16 | 17 | In this module, you may also want to allow traffic from clients in the same VPC, other VPCs (via Peering), or on-premises environments (via Direct Connect/VPN) to reach your SFTP server endpoint without traversing public IP space. In some cases, certain VPCs may not even be allowed to pass traffic to the internet and may lack a NAT Gateway or Internet Gateway. In these use cases, clients can access the server’s endpoint using the endpoint’s private IP addresses. 18 | 19 | ## Module Steps 20 | 21 | You may obtain these private addresses and their associated DNS names by reviewing the **Details** and **Subnets** tabs of your SFTP server endpoint in the endpoints area of the VPC console. 22 | 23 | **Details** tab screenshot: 24 | 25 | ![](../images/transfer6.png) 26 | 27 | **Subnets** tab screenshot: 28 | 29 | ![](../images/transfer7.png) 30 | 31 | #### 1. Establish a VPC peering session 32 | 33 | In order to allow traffic from other VPCs to reach your SFTP server, you want to [establish a VPC peering session](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html). A VPC peering session is not limited to VPCs within a single account, and also might be used to provide direct access to other accounts or partner organizations. Once the VPC peering session is established, appropriate [routes must be added](https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html) in order to allow subnets within those VPCs to reach each other. The final step to allow traffic originating from the peer VPC to reach your SFTP server endpoint is to whitelist either specific IPs or ranges to your Security Group. See the test procedure in the next Module for an example of adding whitelisted IPs. 34 | 35 | ## Module Summary 36 | 37 | In this module, you established a peering session with another **VPC**, and Added the appropriate routes for your **AWS Transfer for SFTP** server's endpoint to be available to this peered VPC without traversing public IP space. 38 | 39 | In the next module, you will test your **AWS Transfer for SFTP** endpoint whitelisting capability. 40 | 41 | Go to [Module 3](/module3/README.md). 42 | -------------------------------------------------------------------------------- /templates/sftp-workshop-endpoint.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: AWS Transfer Family Workshop - IP Allow Listing 3 | Metadata: 4 | License: 5 | Description: | 6 | Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy of this 9 | software and associated documentation files (the "Software"), to deal in the Software 10 | without restriction, including without limitation the rights to use, copy, modify, 11 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to 12 | permit persons to whom the Software is furnished to do so. 13 | 14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, 15 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 16 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT 17 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 18 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 19 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 20 | 21 | Resources: 22 | 23 | # Create a dedicated VPC with internet connectivity 24 | sftpVPC: 25 | Type: AWS::EC2::VPC 26 | Properties: 27 | CidrBlock: 10.11.12.0/24 28 | EnableDnsSupport: 'true' 29 | EnableDnsHostnames: 'true' 30 | InstanceTenancy: default 31 | Tags: 32 | - Key: Name 33 | Value: TransferSFTPDemoVPC 34 | sftpSubnet1: 35 | Type: AWS::EC2::Subnet 36 | Properties: 37 | VpcId: !Ref 'sftpVPC' 38 | CidrBlock: 10.11.12.0/25 39 | AvailabilityZone: 40 | Fn::Select: 41 | - 0 42 | - Fn::GetAZs: "" 43 | MapPublicIpOnLaunch: 'True' 44 | Tags: 45 | - Key: Name 46 | Value: TransferSFTPDemoSubnet1 47 | sftpSubnet2: 48 | Type: AWS::EC2::Subnet 49 | Properties: 50 | VpcId: !Ref 'sftpVPC' 51 | CidrBlock: 10.11.12.128/25 52 | AvailabilityZone: 53 | Fn::Select: 54 | - 1 55 | - Fn::GetAZs: "" 56 | MapPublicIpOnLaunch: 'True' 57 | Tags: 58 | - Key: Name 59 | Value: TransferSFTPDemoSubnet2 60 | sftpInternetGateway: 61 | Type: AWS::EC2::InternetGateway 62 | Properties: 63 | Tags: 64 | - Key: Name 65 | Value: TransferSFTPDemoIGW 66 | sftpAttachGateway: 67 | Type: AWS::EC2::VPCGatewayAttachment 68 | Properties: 69 | VpcId: !Ref 'sftpVPC' 70 | InternetGatewayId: !Ref 'sftpInternetGateway' 71 | sftpRouteTable: 72 | Type: AWS::EC2::RouteTable 73 | Properties: 74 | VpcId: !Ref 'sftpVPC' 75 | Tags: 76 | - Key: Name 77 | Value: TransferSFTPDemoRouteTable 78 | sftpSubnet1RouteAssociaton: 79 | Type: AWS::EC2::SubnetRouteTableAssociation 80 | Properties: 81 | SubnetId: !Ref 'sftpSubnet1' 82 | RouteTableId: !Ref 'sftpRouteTable' 83 | sftpSubnet2RouteAssociaton: 84 | Type: AWS::EC2::SubnetRouteTableAssociation 85 | Properties: 86 | SubnetId: !Ref 'sftpSubnet2' 87 | RouteTableId: !Ref 'sftpRouteTable' 88 | sftpRoutetoInternet: 89 | Type: AWS::EC2::Route 90 | DependsOn: sftpInternetGateway 91 | Properties: 92 | RouteTableId: !Ref 'sftpRouteTable' 93 | DestinationCidrBlock: 0.0.0.0/0 94 | GatewayId: !Ref 'sftpInternetGateway' 95 | sftpEIP1: 96 | Type: AWS::EC2::EIP 97 | DependsOn: sftpVPC 98 | Properties: 99 | Domain: sftpVPC 100 | sftpEIP2: 101 | Type: AWS::EC2::EIP 102 | DependsOn: sftpVPC 103 | Properties: 104 | Domain: sftpVPC 105 | s3Bucket1: 106 | Type: AWS::S3::Bucket 107 | Properties: 108 | PublicAccessBlockConfiguration: 109 | BlockPublicAcls: True 110 | BlockPublicPolicy: True 111 | IgnorePublicAcls: True 112 | RestrictPublicBuckets: True 113 | BucketName: !Join 114 | - "-" 115 | - - "transferworkshop1" 116 | - !Select 117 | - 2 118 | - !Split 119 | - "/" 120 | - !Ref "AWS::StackId" 121 | s3Bucket2: 122 | Type: AWS::S3::Bucket 123 | Properties: 124 | PublicAccessBlockConfiguration: 125 | BlockPublicAcls: True 126 | BlockPublicPolicy: True 127 | IgnorePublicAcls: True 128 | RestrictPublicBuckets: True 129 | BucketName: !Join 130 | - "-" 131 | - - "transferworkshop2" 132 | - !Select 133 | - 2 134 | - !Split 135 | - "/" 136 | - !Ref "AWS::StackId" 137 | s3Bucket1IamRole: 138 | Type: AWS::IAM::Role 139 | Properties: 140 | AssumeRolePolicyDocument: 141 | Statement: 142 | - Action: 143 | - sts:AssumeRole 144 | Effect: Allow 145 | Principal: 146 | Service: 147 | - transfer.amazonaws.com 148 | Version: '2012-10-17' 149 | s3Bucket1RolePolicy: 150 | Type: AWS::IAM::Policy 151 | DependsOn: s3Bucket1 152 | Properties: 153 | PolicyDocument: 154 | Statement: 155 | - Effect: Allow 156 | Action: 157 | - s3:ListBucket 158 | Resource: 159 | - !GetAtt s3Bucket1.Arn 160 | - Effect: Allow 161 | Resource: 162 | - !Join [ "/", [ !GetAtt s3Bucket1.Arn, "*" ] ] 163 | Action: 164 | - s3:PutObject 165 | - s3:GetObject 166 | - s3:DeleteObject 167 | - s3:DeleteObjectVersion 168 | - s3:GetObjectVersion 169 | Version: '2012-10-17' 170 | PolicyName: policy 171 | Roles: 172 | - !Ref 's3Bucket1IamRole' 173 | s3Bucket2IamRole: 174 | Type: AWS::IAM::Role 175 | Properties: 176 | AssumeRolePolicyDocument: 177 | Statement: 178 | - Action: 179 | - sts:AssumeRole 180 | Effect: Allow 181 | Principal: 182 | Service: 183 | - transfer.amazonaws.com 184 | Version: '2012-10-17' 185 | s3Bucket2RolePolicy: 186 | Type: AWS::IAM::Policy 187 | DependsOn: s3Bucket2 188 | Properties: 189 | PolicyDocument: 190 | Statement: 191 | - Effect: Allow 192 | Action: 193 | - s3:ListBucket 194 | Resource: 195 | - !GetAtt s3Bucket2.Arn 196 | - Effect: Allow 197 | Resource: 198 | - !Join [ "/", [ !GetAtt s3Bucket2.Arn, "*" ] ] 199 | Action: 200 | - s3:PutObject 201 | - s3:GetObject 202 | - s3:DeleteObject 203 | - s3:DeleteObjectVersion 204 | - s3:GetObjectVersion 205 | Version: '2012-10-17' 206 | PolicyName: policy 207 | Roles: 208 | - !Ref 's3Bucket2IamRole' 209 | s3BucketallIamRole: 210 | Type: AWS::IAM::Role 211 | Properties: 212 | AssumeRolePolicyDocument: 213 | Statement: 214 | - Action: 215 | - sts:AssumeRole 216 | Effect: Allow 217 | Principal: 218 | Service: 219 | - transfer.amazonaws.com 220 | Version: '2012-10-17' 221 | s3BucketallRolePolicy: 222 | Type: AWS::IAM::Policy 223 | DependsOn: s3Bucket2 224 | Properties: 225 | PolicyDocument: 226 | Statement: 227 | - Effect: Allow 228 | Action: 229 | - s3:ListBucket 230 | Resource: 231 | - !GetAtt s3Bucket1.Arn 232 | - !GetAtt s3Bucket2.Arn 233 | - Effect: Allow 234 | Resource: 235 | - !Join [ "/", [ !GetAtt s3Bucket1.Arn, "*" ] ] 236 | - !Join [ "/", [ !GetAtt s3Bucket2.Arn, "*" ] ] 237 | Action: 238 | - s3:PutObject 239 | - s3:GetObject 240 | - s3:DeleteObject 241 | - s3:DeleteObjectVersion 242 | - s3:GetObjectVersion 243 | Version: '2012-10-17' 244 | PolicyName: policy 245 | Roles: 246 | - !Ref 's3BucketallIamRole' 247 | 248 | Outputs: 249 | bucket1Name: 250 | Description: S3 Bucket 1 Name 251 | Value: !Ref s3Bucket1 252 | iamRole1ForS3Access: 253 | Description: S3 IAM Role for Transfer and File Gateway 254 | Value: !GetAtt s3Bucket1IamRole.Arn 255 | bucket2Name: 256 | Description: S3 Bucket 2 Name 257 | Value: !Ref s3Bucket2 258 | iamRole2ForS3Access: 259 | Description: S3 IAM Role for Transfer and File Gateway 260 | Value: !GetAtt s3Bucket2IamRole.Arn 261 | iamRoleallForS3Access: 262 | Description: S3 IAM Role for Transfer and File Gateway 263 | Value: !GetAtt s3BucketallIamRole.Arn 264 | vpcID: 265 | Description: ID of VPC 266 | Value: !Ref sftpVPC 267 | elasticIP1: 268 | Description: Elastic IP 1 269 | Value: !Ref sftpEIP1 270 | elasticIP2: 271 | Description: Elastic IP 2 272 | Value: !Ref sftpEIP2 273 | subnet1VPC: 274 | Description: AZ of subnet 1 275 | Value: !GetAtt sftpSubnet1.AvailabilityZone 276 | subnet1ID: 277 | Description: ID of Subnet 1 278 | Value: !Ref sftpSubnet1 279 | subnet2VPC: 280 | Description: AZ of subnet 2 281 | Value: !GetAtt sftpSubnet2.AvailabilityZone 282 | subnet2ID: 283 | Description: ID of Subnet 2 284 | Value: !Ref sftpSubnet2 285 | --------------------------------------------------------------------------------