SFTP Gateway Support

3.0

IAM Permissions

Overview

This article describes how IAM permissions are set up in the SFTP Gateway v3.x CloudFormation template.

CloudFormation Parameter: BucketAccess

SFTP Gateway version 3.x uses a CloudFormation parameter named BucketAccess, which can be either Restricted (default) or Open.

The purpose of this parameter is to prevent SFTP Gateway from having loose permissions to S3 by default, while making it possible to grant widespread S3 access if needed.

The Restricted option limits S3 access to S3 buckets following this naming convention:

sftpgw-i-*

The default S3 bucket follows this naming convention, so this will work out of the box.

The Open option attaches the AWS managed policy AmazonS3FullAccess. This grants unrestricted access to all S3 buckets in the AWS account.

The Open option is useful if you need to configure multiple S3 buckets, and all of your S3 buckets are being used with SFTP Gateway.

Other IAM permissions

SFTP Gateway sends log files to CloudWatch logs. There are IAM permissions for creating log groups and log streams.

SFTP Gateway also queries information about itself, at the EC2 or CloudFormation level. For example, the CloudFormation stack name is used in the log group to keep logs separate. And this stack name is extracted from the EC2 instance's tags.

SFTP Gateway 3.0 Security NotesChroot directories