AWS Transfer is an SFTP service within AWS. Using SSH keys, an SFTP connection can be established to upload and download files to AWS (most likely to S3). There are two approaches for restricting what the user can do. The simple approach is to use the built-in feature with AWS Transfer: Restricted directory. While creating the user, check the restricted box and select the Home directory and optional path. The second approach leverages AWS security policy. You can set the fine-grained permission of Effect, Allow and Resource (by ARN):
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “VisualEditor0”,
“Effect”: “Allow”,
“Action”: [
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”,
“s3:DeleteObjectVersion”,
“s3:GetObjectVersion”
],
“Resource”: “arn:aws:s3:::my.bucket.com/restricted-home/path/*”
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::my.bucket.com”
}
]
}
note: to create a service-managed user, follow the standard instructions for generating an SSH key. macOS, Linux, or Unix Windows
Create an SSH key with RSA:
ssh-keygen -t rsa -b 4096 -f Zbsg
Connect to SFTP
sftp -i Zbsg Zbsg@sftp.myserver.com
Once connected (if you have the permission), you can upload a file with a Put command:
sftp> put file.txt
Uploading file.txt to /file.txt
file.txt 100% 0 0.0KB/s 00:00
sftp>
Download a file
sftp -i Zbsg Zbsg@sftp.myserver.com:file.txt file.txt