AMI Deployment
SFTP Gateway 3.x - Usage Instructions
This guide walks you through launching SFTP Gateway as an Amazon Machine Image from the AWS Marketplace.
Launch this software | Usage Instructions
The Launch this software page is a much simpler version of the EC2 launch wizard. You configure just a handful of frequently used parameters such as Instance Type and Subnet Settings.
Choose Action
Select Launch from Website to use this simplified EC2 launch page.
If you need to configure options not listed on this page (e.g. tags or disk volume size), select Launch through EC2. This will take you through the standard EC2 launch wizard instead.
EC2 Instance Type
For testing, use a t3.medium
. The t3
class is cheaper, but cannot handle sustained traffic.
For production, use an m5.large
or better.
VPC Settings
Choose the default vpc, which is public by default.
This launch form doesn't designate the default vpc with a *
as advertised, but there's another way to figure this out.
Select different vpc options while keeping an eye on the Subnet Settings below.
When the subnets start with 172.31.
, you found the default vpc.
Subnet Settings
It doesn't matter which subnet you choose, since all subnets within the default vpc are public.
Just verify that the subnet starts with 172.31.
Security Group Settings
- Click the button Create New Based On Seller Settings to create a new security group
- Enter a Name and Description
- For each port (22, 80, 443), change the Source to Custom IP
- Get your current IP address from http://checkip.dyndns.org/
- Enter this as the source IP, followed by
/32
. For example,1.2.3.4/32
- Click Save
Key Pair Settings
Select a key pair of which you own the private key
Post configuration
After launching the EC2 instance, you need to manually perform a few initialization steps.
Create an IAM policy
An IAM policy grants permissions such as creating S3 buckets, listing KMS keys, and writing CloudWatch logs.
- Go to the AWS console > IAM > Policies
- Click Create policy
- Select the JSON tab
- Paste in the sample JSON snippet (see below)
- On the Review policy page, type
SFTPGatewayPolicy
for the Name - Click Create Policy
Sample JSON snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::sftpgateway-i-*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"s3:ListAllMyBuckets",
"kms:ListAliases",
"kms:ListKeys"
],
"Resource": "*"
}
]
}
Note: If you know you need to create S3 buckets per-user, open up the permissions like this:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
Create an IAM role
- Go to the AWS console > IAM > Roles
- Click Create role
- When choosing a service for this role, click EC2 and then click Next: Permissions
- On the attach a permissions policy page, look for Filter policies and select Customer managed
- Check the box next to
SFTPGatewayPolicy
, which you created earlier - Click Next: Tags
- Click Next: Preview
- Type in
SFTPGatewayRole
as the Role name - Click Create role
Attach the IAM role
- Go to the AWS console > EC2 > Instances
- Check the box next to your SFTP Gateway instance
- Click on Actions > Instance Settings > Attach/Replace IAM Role
- Select the
SFTPGatewayRole
IAM role you created earlier - Click Apply
Associate an Elastic IP address
As with any server, you want to assign it an Elastic IP address, which is like a static IP address. Otherwise, your public IP address will change whenever you stop the EC2 instance.
- Go to the AWS console > EC2 > Elastic IPs
- Click Allocate new address
- Click Allocate
- Click on the newly allocated IP address
- Under Actions, select Associate address
- From the Instance drop-down, select your EC2 instance
- Click Associate