Wiki
Clone wikisftpgateway-public / SFTP Gateway 2.0 Manual Setup
SFTP Gateway 2.0 Manual Setup
We highly recommend using our CloudFormation template for provisioning SFTP Gateway. You can choose from single instance and high availability templates. And CloudFormation helps you create supporting AWS resources such as IAM roles.
If you do not wish to use CloudFormation, you can still provision SFTP Gateway as a standalone EC2 instance. However, you will need to perform the manual steps described in this article.
Prep
Before you begin, you need to create an IAM role. This gives your EC2 instance permissions to create the default S3 bucket.
Note: If you skip this step now, you can still add the IAM role afterwards. But you will need to manually create the default S3 bucket, because SFTP Gateway will not have permission to do so on first launch. There's an easy way to do this from the admin user interface: Go to the Settings page, and click Apply.
Create an IAM policy
An IAM policy grants permissions such as creating S3 buckets, listing KMS keys, and writing CloudWatch logs.
- Go to the AWS console > IAM > Policies
- Click Create policy
- Select the JSON tab
- Paste in the sample JSON snippet (see below)
- On the Review policy page, type
SFTPGatewayPolicy
for the Name - Click Create Policy
Sample JSON snippet:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::sftpgateway-i-*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:CreateLogGroup", "ec2:DescribeInstances", "ec2:DescribeTags", "s3:ListAllMyBuckets", "kms:ListAliases", "kms:ListKeys" ], "Resource": "*" } ] }
Note: If you know you need to create S3 buckets per-user, open up the permissions like this:
{ "Effect": "Allow", "Action": "s3:*", "Resource": "*" }
Create an IAM role
- Go to the AWS console > IAM > Roles
- Click Create role
- When choosing a service for this role, click EC2 and then click Next: Permissions
- On the attach a permissions policy page, look for Filter policies and select Customer managed
- Check the box next to
SFTPGatewayPolicy
, which you created earlier - Click Next: Tags
- Click Next: Preview
- Type in
SFTPGatewayRole
as the Role name - Click Create role
You will use the SFTPGatewayRole
when creating the EC2 instance.
Spin up the EC2 instance
Find the AMI
- Go to the AWS console > EC2 > AMIs
- Search for
ami-032ee389d7590ba9b
(for us-east-1). - If you don't see any results, to the left of the search box, change Owned by me to Private images
- You should now see an AMI named
sftpgw-ami-release-2-000...
- With that AMI selected, go to Actions > Launch
Spin up the AMI
- For the instance type, we recommend at least a
t2.medium
for testing, and am5.large
for production. - Accept the default network settings for the default VPC, subnet, and auto-assign public IP. This should result in getting a public IP.
- When specifying an IAM role, select
SFTPGatewayRole
from the drop down menu - Leave storage at 32 GB. For storage volume type, make sure it’s General Purpose SSD (gp2)
- For the security group, grant yourself access on TCP ports
22
,80
, and443
. For the source, use your own IP address range rather than the wildcard0.0.0.0/0
- Select an EC2 key pair that you have access to
Post configuration
Associate an Elastic IP address
As with any server, you want to assign it an Elastic IP address, which is like a static IP address. Otherwise, your public IP address will change whenever you stop the EC2 instance.
- Go to the AWS console > EC2 > Elastic IPs
- Click Allocate new address
- Click Allocate
- Click on the newly allocated IP address
- Under Actions, select Associate address
- From the Instance drop-down, select your EC2 instance
- Click Associate
Reset the admin password
In order to use the web interface for managing users, you’ll have to first reset the admin password.
- Paste the elastic IP address into your web browser.
- Click the link that says Click here to access your admin interface.
- You will see an SSL warning, since we use a default self-signed certificate. Bypass it by clicking Advanced > Proceed to ip address
- You will see a page with instructions for resetting your admin password
You won’t be able to log into the admin interface until you’ve reset the password via the command line.
- SSH into your EC2 instance
- Reset the admin password:
sudo resetadminpassword
- You'll be prompted to enter the new password, and to confirm it
- Refresh the web browser, and you should now be able to enter in your admin password
Where to go from here
Right now, your EC2 instance has the permissions it needs to manage users, and upload files to your default S3 bucket.
Refresh your web browser, and try creating a user.
If you need access to additional S3 buckets, check out our documentation: Restrict S3 access on your IAM policy
Updated