Configuring S3 permissions · SFTP Gateway Support

Overview

When configuring a Cloud Connection in the web admin portal, there's a Test Connection button. Clicking it should give you 3 green check marks (Connectivity, Read, Write).

If not, you will need to troubleshoot your IAM permissions on the EC2 instance profile.

Default CloudFormation permissions

The CloudFormation template configures default IAM permissions. During the provisioning process, you can choose from the following options:

Restricted: This is the default option, which gives you access to any bucket with the following naming convention: sftpgw-i-*
Open: This attaches a Managed IAM policy S3FullAccess that gives you unrestricted access to the S3 buckets in your AWS account

Customizing IAM permissions for S3

If you chose the Restricted option, you only have access to S3 buckets with the naming convention sftpgw-i-*

You may want to grant your EC2 instance access to other S3 buckets. To do this, you will need to modify the IAM permissions of your EC2 instance profile.

Here is an example of a custom IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::your-s3-bucket",
                "arn:aws:s3:::your-s3-bucket/*",
            ]
        }
    ]
}

The above syntax gives you S3 permissions to a specific S3 bucket, as well as the objects within.

For some environments, locking down access to individual S3 buckets is not restrictive enough. You may want to further restrict the S3 actions to a granular whitelist. For example, s3:Get* or s3:Put*.

Here's a link to the AWS documentation for examples of S3 actions.