This document covers the Settings page in the web admin UI.
On the Settings page, you can:
- Download log files
- Configure Cloud connections (these define an S3 bucket destination, and related settings)
You can navigate to it by clicking on Settings in the top nav menu.
Download log files
You can download log files without having to SSH into the server:
- SFTP Audit Log: Authentication events and SFTP commands
- SFTP Diagnostics Log: Java event logs for troubleshooting the SFTP Gateway service
Click on either of these links, and the log file will be downloaded via the browser.
A Cloud Connection defines an S3 Bucket destination, and its related settings.
Here is an example of a Cloud Connection:
- S3 Bucket:
- S3 Encryption Option:
- Cloud Connection Credentials: Uses the instance profile credentials
Once a Cloud Connection is defined, you can start creating Folders (every folder must point to a Cloud Connection).
You can point multiple Folders to a single Cloud Connection. This way, the Cloud Connection becomes a single point of change (e.g. you need to rotate an AWS Access key).
Click on Create AWS Connection, and you will see this page:
Fill out the following fields:
A name you define in order to refer to this Cloud Connection.
Cloud Connection Notes:
Optional field for providing more context about this Cloud Connection.
Enter the S3 Bucket name. Remember to follow the standard S3 Bucket naming convention:
- Has to be globally unique (cannot conflict with S3 buckets in other AWS accounts)
- Lowercase letters (no uppercase allowed), numbers, and hyphens
- Must have fewer than 63 characters
- Only include the S3 bucket (i.e. don't include the folder path)
S3 Encryption Option:
S3 objects are encrypted at the time of upload. The encryption method you define on the Cloud Connection will apply to all subsequently uploaded S3 objects.
- SSE-S3: The S3 service manages encryption behind the scenes. S3 objects are encrypted at rest, and the S3 service automatically decrypts the object so long as you have read-access.
- KMS: KMS encryption offers more security value, because KMS key permissions are decoupled from S3 access permissions.
- No Encryption: Do not override encryption settings, so that objects are encrypted using the S3 bucket's default encryption setting.
Cloud Connection Credentials:
The Use instance profile credentials option leverages the IAM permissions on the EC2 instance. This is the recommended approach, because the access key credentials are handled transparently, and rotated for you automatically.
If you want to restrict S3 permissions on a per-user basis, select the Use unique credentials option. You can set AWS Access Key credentials on the Cloud Connection. And then each SFTP can have their own dedicated Cloud Connection.
Use the Test Connection button to verify that SFTP Gateway has access to the S3 bucket.