By default, downloads directories are read only because the S3 bucket is intended to be the source of truth.

Unlike uploads, which are transferred to S3 in near real-time, the downloads directory is synced with the contents of S3 by the s3sync process every few minutes. If a file is deleted from the local server, it will reappear the next time the s3sync process runs.

In order to allow users to delete from the downloads directory, there are two options:

  • Modify the s3sync process to make the local directory the source of truth

  • Listen for IN_DELETE Event and run a custom script to delete from S3

Make download directory the source of truth

The s3sync command uses the /home/ec2-user/.sftpgateway/sftpgateway.sync file to map source S3 folders to target server directories.

Each entry in the sftpgateway.sync file is a single line and consists of 3 segments separated by semicolons.

  • Segment 1, is the local target directory that the S3 content will be synced to.

  • Segment 2, is the user for which the sync operation will apply to.

  • Segment 3, is the S3 source folder that the content is synced from.

If you swap segment 1 with segment 3, the server will become the source of truth. The files will still be stored on S3, but to add, modify, or delete the files those operations need to be done on the server.

You can then change the permissions of the downloads directory to allow the user read write access. To do this run the command:

sudo chown username:username /home/username/home/username/downloads/


Listen for IN_DELETE event

If you want to allow users to delete files from their downloads directory, you could add a custom entry to the root incrontab for their downloads directory to monitor for an IN_DELETE event. This could then call a custom script that will delete the file from S3 if it is deleted from the server. Once the file is deleted from S3, it will no longer get synced back to the server. To add an incrontab entry, do the following:

Edit the root incrontab with the command:

sudo incrontab -e

This will open the incrontab in vim[*], then add this line:

/home/username/home/username/downloads IN_DELETE /opt/sftpgw/ $# username

The script does not exist currently, but can easily be created to call the AWS S3 cli to delete the file in the S3 bucket.

Create this script with the command sudo vim /opt/sftpgw/[*], and add the following script:





aws s3 rm s3://sftpgateway-bucketname/$user/downloads/$file >> $LOG_FILE 2>&1

# end of script

Note: Remember to change the sftpgateway-bucketname to reflect your S3 bucket.

You will have to make executable with the command:

sudo chmod +x /opt/sftpgw/

You will then have to change the permissions of the downloads directory to allow the user to delete items from it. To do this run the command:

sudo chown username:username /home/username/home/username/downloads/

Some things to consider with either of these approaches:

  • You may want to turn on versioning in your S3 bucket, so that if a user deletes an item from the directory you will still be able to access it from S3. For more information on S3 versioning please see this AWS documentation.

  • You will have to do this for each user you wish to give this functionality to.

  • You may need to add the sse.sync.option encryption option property to the user’s /home/username/.sftpgateway/user.propteries file if you are synching files from the server to the bucket.

  • You will have to add the “s3:DeleteObject” action to the IAM role attached to the EC2 instance

  • You will also have to change the ownership of each user’s downloads directory to allow them to write and delete files from it. To do this run the command sudo chown username:username /home/username/home/username/downloads

[*]: If you are unfamiliar with the text editor vim, here is a good resource to get you started -