SFTP Gateway Support

1.0.0

SFTP Gateway 2.0 CloudFormation Roles

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Overview

In some situations, you want to grant one of your team members the ability to deploy a CloudFormation template. But at the same time, you don't want to grant that team member excessive permissions like iam:*.

The approach here is to use a CloudFormation service role in IAM. This service role has the permissions necessary to provision template resources, including iam:*. Your team member has a more restricted set of permissions, but can assume the service role when spinning up the CloudFormation stack.

Usage

  1. Spin up the CloudFormation template at the bottom of the page.
  2. Add your team member to the IAM Group CloudFormationUsersGroup
  3. When your team member spins up the SFTP Gateway CloudFormation template, they need to use the CloudFormationServiceRole IAM role

Explanation

The CloudFormation template below provisions an IAM role named CloudFormationServiceRole. This service role has all the permissions necessary for spinning up the SFTP Gateway HA existing VPC template. (Feel free to modify these permissions as needed.)

The template below also creates an IAM group named CloudFormationUsersGroup. This group has the permission iam:PassRole, which allows it to assume the CloudFormationServiceRole mentioned above.

When you specify an IAM role when provisioning a CloudFormation stack, all subsequent operations on that stack will be performed using that IAM role.

It's important to note that the CloudFormationUsersGroup permissions does not include the ability to create IAM roles. So in this way, a restricted user is still able to deploy the SFTP Gateway CloudFormation template.

CloudFormation template for creating IAM roles

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudFormationServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          -
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Description: CloudFormation Service Role
      RoleName: CloudFormationServiceRole
  CloudFormationServiceRolePolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: CloudFormationServiceRolePolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: # all these get provisioned by the HA existing stack
              - 'ec2:*'
              - 'logs:*'
              - 'iam:*'
              - 'elasticloadbalancing:*'
              - 'elasticfilesystem:*'
              - 'autoscaling:*'
              - 'events:*'
            Resource: '*'
      Roles:
        - Ref: CloudFormationServiceRole
  CloudFormationUsersGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: CloudFormationUsersGroup
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'iam:Get*'         # needs to list IAM roles to find the service role
                  - 'iam:List*'        # needs to list IAM roles to find the service role
                  - 'iam:PassRole'     # needs to assume the service role
                  - 'sns:List*'        # CloudFormation wizard lets you notify SNS; used to get around error
                  - 'cloudformation:*' # for all CloudFormation related tasks
                  - 'ec2:*'            # need to list VPCs, subnets, create and list the key pair
                  - 's3:*'             # CF templates are stored on S3
                Resource: '*'
          PolicyName: CloudFormationUsersGroupPolicy
SFTP Gateway 2.0 CloudFormation TimeoutSFTP Gateway 2.0 Send SSM commands to multiple instances