AWS Transfer for SFTP setup using CloudFormation

AWS Transfer for SFTP is a fully managed service that enables the transfer of files directly into and out of Amazon S3 using the Secure File Transfer Protocol (SFTP). It’s a simple but yet very helpful service.There’s only one caveat: setting it up with CloudFormation. The documentation is on the AWS website but it’s incomplete, misleading and sometimes just wrong.

TL;DR

I have included a fully working CloudFormation example at the end of this article so if you’re in a hurry feel free to skip the next paragraph and just go to the code ;-)

In a nutshell: the most important remarks

AWS::Transfer::Server -> Custom Hostname

Setting a custom hostname is not implemented in the API and so there’s no support for CloudFormation. But what is not in the documentation is that you’re supposed to set it up using a AWS::Route53::RecordSet resource when using CloudFormation.

AWS::Transfer::User -> HomeDirectory.

From the documentation:

HomeDirectory: The landing directory (folder) for a user when they log in to the server using their SFTP client. An example is /home/username.

Could this be more misleading!? you will need to include your S3 bucket name in the path as well. This would be more correct: /mybucketname/home/username.

AWS::Transfer::User -> SshPublicKeys

The documentation states the SshPublicKeys Type as List of SshPublicKey. What they mean is that the Type is just a List of Strings.

AWS::Transfer::User -> Role & Policy

It’s best to include both a role an a scope-down policy for your users. The role is pretty straightforward but the policy needs to be of type String. Again just having an example here explains everything ;-)

The Code

I hope this saves you some time from figuring out things yourselves!