This guide walks you through launching SFTP Gateway as an Amazon Machine Image from the AWS Marketplace.

Launch this software | Usage Instructions

The Launch this software page is a much simpler version of the EC2 launch wizard. You configure just a handful of frequently used parameters such as Instance Type and Subnet Settings.

Choose Action

Select Launch from Website to use this simplified EC2 launch page.

If you need to configure options not listed on this page (e.g. tags or disk volume size), select Launch through EC2. This will take you through the standard EC2 launch wizard instead.

EC2 Instance Type

For testing, use a t2.medium. The t2 class is cheaper, but cannot handle sustained traffic.

For production, use an m5.large or better.

VPC Settings

Choose the default vpc, which is public by default. This launch form doesn't designate the default vpc with a * as advertised, but there's another way to figure this out.

Select different vpc options while keeping an eye on the Subnet Settings below. When the subnets start with 172.31., you found the default vpc.

Subnet Settings

It doesn't matter which subnet you choose, since all subnets within the default vpc are public. Just verify that the subnet starts with 172.31.

Security Group Settings

  1. Click the button Create New Based On Seller Settings to create a new security group
  2. Enter a Name and Description
  3. For each port (22, 80, 443), change the Source to Custom IP
  4. Get your current IP address from
  5. Enter this as the source IP, followed by /32. For example,
  6. Click Save

Key Pair Settings

Select a key pair of which you own the private key

Post configuration

After launching the EC2 instance, you need to manually perform a few initialization steps.

Create an IAM policy

An IAM policy grants permissions such as creating S3 buckets, listing KMS keys, and writing CloudWatch logs.

  1. Go to the AWS console > IAM > Policies
  2. Click Create policy
  3. Select the JSON tab
  4. Paste in the sample JSON snippet (see below)
  5. On the Review policy page, type SFTPGatewayPolicy for the Name
  6. Click Create Policy

Sample JSON snippet:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

Note: If you know you need to create S3 buckets per-user, open up the permissions like this:

            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"

Create an IAM role

  1. Go to the AWS console > IAM > Roles
  2. Click Create role
  3. When choosing a service for this role, click EC2 and then click Next: Permissions
  4. On the attach a permissions policy page, look for Filter policies and select Customer managed
  5. Check the box next to SFTPGatewayPolicy, which you created earlier
  6. Click Next: Tags
  7. Click Next: Preview
  8. Type in SFTPGatewayRole as the Role name
  9. Click Create role

Attach the IAM role

  1. Go to the AWS console > EC2 > Instances
  2. Check the box next to your SFTP Gateway instance
  3. Click on Actions > Instance Settings > Attach/Replace IAM Role
  4. Select the SFTPGatewayRole IAM role you created earlier
  5. Click Apply

Associate an Elastic IP address

As with any server, you want to assign it an Elastic IP address, which is like a static IP address. Otherwise, your public IP address will change whenever you stop the EC2 instance.

  1. Go to the AWS console > EC2 > Elastic IPs
  2. Click Allocate new address
  3. Click Allocate
  4. Click on the newly allocated IP address
  5. Under Actions, select Associate address
  6. From the Instance drop-down, select your EC2 instance
  7. Click Associate

Reset the admin password

In order to use the web interface for managing users, you’ll have to first reset the admin password. You'll later use this to log in.

  1. Paste the elastic IP address into your web browser.
  2. Click the link that says Click here to access your admin interface.
  3. You will see an SSL warning, since we use a default self-signed certificate. Bypass it by clicking Advanced > Proceed to ip address
  4. You will see a page with instructions for resetting your admin password

You won’t be able to log into the admin interface until you’ve reset the password via the command line.

  1. SSH into your EC2 instance ssh -i <private.key> ec2-user@<elastic-ip-address>
  2. Reset the admin password: sudo resetadminpassword
  3. You'll be prompted to enter the new password, and to confirm it
  4. Refresh the web browser, and you should now be able to enter in your admin password

Create the default S3 bucket

SFTP Gateway creates the default S3 bucket on first launch. But with the AWS Marketplace AMI flow, SFTP Gateway doesn't have IAM permissions until post launch. So you'll have to create the S3 bucket manually.

Fortunately, there's an easy way to do this from the web interface:

  • Click on Settings
  • Verify that the default bucket field is populated
  • Click Apply

When you click Apply, SFTP Gateway creates the default bucket if it doesn't already exist.