Initial Setup
For SFTP Gateway version 2.0, please use the Getting Started with SFTP Gateway 2.0 guide.
In this section, you provision your SFTP Gateway instance. You can do this manually via the EC2 console, or using CloudFormation. Either way, you should end up with the following resources:
- EC2 instance
- S3 bucket
- IAM role
Before you begin
Subscribe
You first need to subscribe to the SFTP Gateway product. Doing so allows your AWS account to use the SFTP Gateway AMI.
Click here to open the AWS Marketplace page for SFTP Gateway.
Click the Continue to Subscribe button.
Click the Accept Terms button.
Key Pair
A Key Pair allows you to SSH into the EC2 instance. You can create one within the AWS console by going to EC2 > Key Pairs > Create Key Pair
CloudFormation Setup
CloudFormation is the recommended setup approach. Download the latest CloudFormation template here.
Within the AWS console, go to CloudFormation, click Create Stack, and upload the SFTP Gateway CloudFormation template. Then specify the following parameters:
- DefaultBucket: Name the S3 bucket that want to use as your default bucket. If you leave this blank, SFTP Gateway
uses a default name based on the EC2 instance ID (e.g.
sftpgateway-i-12345abcde
). - DiskVolumeSize: Specify the amount of hard disk storage to provision, in gigabytes.
- EC2 type: You can start with a cheaper
t2.micro
for testing purposes. But you can change your instance type to anm4.large
when you go live. - InputCIDR: Grants an IP address range access to port 22. Use
0.0.0.0/0
to allow all IP traffic. See below for details. - KeyPair: Select the Key Pair you created earlier from the drop-down list.
- SubnetID: Select a public subnet. If you haven't created any, you can just use the ones that come by default with each region.
- VPCIdName: Select the VPC that the subnet belongs to.
InputCIDR
The InputCIDR field grants an IP address range access to your EC2 instance over port 22. This is used by a security group rule to help protect your EC2 instance from unwanted port scans.
As a security best practice, you should limit this to your own IP address (i.e. 12.34.56.78/32
). The /32
at the end
represents a range containing a single IP address. To get your local machine's public IP address,
see http://checkip.dyndns.org/.
Later on, you can add a whitelist of IP address ranges to your security group to grant SFTP clients access your instance. See this article for more details.
If you need to make your SFTP Gateway accessible to the general public, you can allow port 22 traffic from all IP
addresses by using 0.0.0.0/0
.
Manual Setup
Create IAM Role
Before you launch an EC2 instance, first create an IAM role with the AmazonS3FullAccess policy. This role gives you access to S3.
- Go to IAM > Roles > Create Role.
- Choose EC2 as the trusted entity
- Attach the AmazonS3FullAccess managed policy, or for more restrictive permissions see Restrict S3 Access
Launch Instance
Now you can launch an instance of SFTP Gateway:
Go to the SFTP Gateway Marketplace page.
Click the Continue to Subscribe button.
If you have not accepted the license agreement, click the Accept Terms button.
In the SFTP Gateway banner at the top of the page, click the Continue to Configuration button.
In the fulfillment option dropdown, select Amazon Machine Image.
Select the Region you wish to deploy the image in.
In the SFTP Gateway banner at the top of the page, click the Continue to Launch button.
In the choose action dropdown, select Launch from Website or Launch through EC2.
If you select to Launch through EC2, it will open the EC2 console with the AMI pre-selected. You can then move on to configuring the EC2 instance.
If you select to Launch from Website, you will stay on same page and the EC2 configuration option will be display on that page.
Note: If you choose to launch the EC2 instance from the website, there will be no identifying
Name
tag associated with the instance, it will have the default 32 GB EBS volume, and you will need to assign an IAM role.
- Configure the instance through the EC2 console:
- Choose an Instance Type: Use
t2.micro
for testing,m4.large
or better is recommended for Production. You can modify the instance class after the fact. - Configure Instance Details: Select the VPC, Subnet, and IAM role you created earlier
- Add Storage: Set the volume type to
GP2
. Use a storage size appropriate for your needs. You can increase this later using these instructions. - Add Tags: You can assign a
Key = Name
andValue = Identifier
to distinguish your EC2 instances from one another. - Configure Security Group: Allow Port
22
traffic from anywhere0.0.0.0/0
, which is fine for an SFTP server.
- Choose an Instance Type: Use
Finally, configure the S3 bucket using the sftpgatewaysetup
command
- Log into the EC2 instance
- Run the command
sudo sftpgatewaysetup
. This is creates an S3 bucket, and the appropriate properties files needed by SFTP Gateway. This command is only necessary for manual setup.
Note: You can set the name of the default bucket using the --bucket
parameter: sudo sftpgatewaysetup --bucket your-s3-bucket-name
.
Where to go from here
Once you're done setting up your EC2 instance, refer to this article to set up an SFTP user.