SFTP Gateway 2.0 Manual Setup | Thorn Technologies

SFTP Gateway 2.0 Manual Setup

SFTP Gateway 2.0 Manual Setup

We highly recommend using our CloudFormation template for provisioning SFTP Gateway. You can choose from single instance and high availability templates. And CloudFormation helps you create supporting AWS resources such as IAM roles.

If you do not wish to use CloudFormation, you can still provision SFTP Gateway as a standalone EC2 instance. However, you will need to perform the manual steps described in this article.


Before you begin, you need to create an IAM role. This gives your EC2 instance permissions to create the default S3 bucket.

Note: If you skip this step now, you can still add the IAM role afterwards. But you will need to manually create the default S3 bucket, because SFTP Gateway will not have permission to do so on first launch. There's an easy way to do this from the admin user interface: Go to the Settings page, and click Apply.

Create an IAM policy

An IAM policy grants permissions such as creating S3 buckets, listing KMS keys, and writing CloudWatch logs.

  1. Go to the AWS console > IAM > Policies
  2. Click Create policy
  3. Select the JSON tab
  4. Paste in the sample JSON snippet (see below)
  5. On the Review policy page, type SFTPGatewayPolicy for the Name
  6. Click Create Policy

Sample JSON snippet:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

Note: If you know you need to create S3 buckets per-user, open up the permissions like this:

            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"

Create an IAM role

  1. Go to the AWS console > IAM > Roles
  2. Click Create role
  3. When choosing a service for this role, click EC2 and then click Next: Permissions
  4. On the attach a permissions policy page, look for Filter policies and select Customer managed
  5. Check the box next to SFTPGatewayPolicy, which you created earlier
  6. Click Next: Tags
  7. Click Next: Preview
  8. Type in SFTPGatewayRole as the Role name
  9. Click Create role

You will use the SFTPGatewayRole when creating the EC2 instance.

Spin up the EC2 instance

Find the AMI

  1. Go to the AWS console > EC2 > AMIs
  2. Search for ami-032ee389d7590ba9b (for us-east-1).
  3. If you don't see any results, to the left of the search box, change Owned by me to Private images
  4. You should now see an AMI named sftpgw-ami-release-2-000...
  5. With that AMI selected, go to Actions > Launch

Spin up the AMI

  1. For the instance type, we recommend at least a t2.medium for testing, and a m5.large for production.
  2. Accept the default network settings for the default VPC, subnet, and auto-assign public IP. This should result in getting a public IP.
  3. When specifying an IAM role, select SFTPGatewayRole from the drop down menu
  4. Leave storage at 32 GB. For storage volume type, make sure it’s General Purpose SSD (gp2)
  5. For the security group, grant yourself access on TCP ports 2280, and 443. For the source, use your own IP address range rather than the wildcard
  6. Select an EC2 key pair that you have access to

Post configuration

Associate an Elastic IP address

As with any server, you want to assign it an Elastic IP address, which is like a static IP address. Otherwise, your public IP address will change whenever you stop the EC2 instance.

  1. Go to the AWS console > EC2 > Elastic IPs
  2. Click Allocate new address
  3. Click Allocate
  4. Click on the newly allocated IP address
  5. Under Actions, select Associate address
  6. From the Instance drop-down, select your EC2 instance
  7. Click Associate

Reset the admin password

In order to use the web interface for managing users, you’ll have to first reset the admin password.

  1. Paste the elastic IP address into your web browser.
  2. Click the link that says Click here to access your admin interface.
  3. You will see an SSL warning, since we use a default self-signed certificate. Bypass it by clicking Advanced > Proceed to ip address
  4. You will see a page with instructions for resetting your admin password

You won’t be able to log into the admin interface until you’ve reset the password via the command line.

  1. SSH into your EC2 instance
  2. Reset the admin password: sudo resetadminpassword
  3. You'll be prompted to enter the new password, and to confirm it
  4. Refresh the web browser, and you should now be able to enter in your admin password

Where to go from here

Right now, your EC2 instance has the permissions it needs to manage users, and upload files to your default S3 bucket.

Refresh your web browser, and try creating a user.

If you need access to additional S3 buckets, check out our documentation: Restrict S3 access on your IAM policy