This article describes how IAM permissions are set up in the SFTP Gateway v3.x CloudFormation template.
CloudFormation Parameter: BucketAccess
SFTP Gateway version 3.x uses a CloudFormation parameter named
which can be either
Restricted (default) or
The purpose of this parameter is to prevent SFTP Gateway from having loose permissions to S3 by default, while making it possible to grant widespread S3 access if needed.
Restricted option limits S3 access to S3 buckets following this naming convention:
The default S3 bucket follows this naming convention, so this will work out of the box.
Open option attaches the AWS managed policy
This grants unrestricted access to all S3 buckets in the AWS account.
Open option is useful if you need to configure multiple S3 buckets,
and all of your S3 buckets are being used with SFTP Gateway.
Other IAM permissions
SFTP Gateway sends log files to CloudWatch logs. There are IAM permissions for creating log groups and log streams.
SFTP Gateway also queries information about itself, at the EC2 or CloudFormation level. For example, the CloudFormation stack name is used in the log group to keep logs separate. And this stack name is extracted from the EC2 instance's tags.