Initial Setup of SFTP Gateway | Thorn Technologies

Initial Setup of SFTP Gateway

In this section, you provision your SFTP Gateway instance. You can do this manually via the EC2 console, or using CloudFormation. Either way, you should end up with the following resources:

  • EC2 instance
  • S3 bucket
  • IAM role

Before you begin

Subscribe

You first need to subscribe to the SFTP Gateway product. Doing so allows your AWS account to use the SFTP Gateway AMI.

Click here to open the AWS Marketplace page for SFTP Gateway.

Click the Continue to Subscribe button.

continue<em>to</em>subscribe.png

Click the Accept Terms button.

accept_terms.png

Key Pair

A Key Pair allows you to SSH into the EC2 instance. You can create one within the AWS console by going to EC2 > Key Pairs

CloudFormation Setup

CloudFormation is the recommended setup approach. Download the latest CloudFormation template.

Within the AWS console, go to CloudFormation, click Create Stack, and upload the SFTP Gateway CloudFormation template. Then specify the following parameters:

  • DefaultBucket: Name the S3 bucket that want to use as your default bucket. If you leave this blank, SFTP Gateway uses a default name based on the EC2 instance ID (e.g. sftpgateway-i-12345abcde).
  • DiskVolumeSize: Specify the amount of hard disk storage to provision, in gigabytes.
  • EC2 type: You can start with a cheaper t2.micro for testing purposes. But you can change your instance type to an m4.large when you go live.
  • InputCIDR: Grants an IP address range access to port 22. Use 0.0.0.0/0 to allow all IP traffic. See below for details.
  • KeyPair: Select the Key Pair you created earlier from the drop-down list.
  • SubnetID: Select a public subnet. If you haven’t created any, you can just use the ones that come by default with each region.
  • VPCIdName: Select the VPC that the subnet belongs to.

InputCIDR

The InputCIDR field grants an IP address range access to your EC2 instance over port 22. This is used by a security group rule to help protect your EC2 instance from unwanted port scans.

As a security best practice, you should limit this to your own IP address (i.e. 12.34.56.78/32). The /32 at the end represents a range containing a single IP address. To get your local machine’s public IP address, see http://checkip.dyndns.org/.

Later on, you can add a whitelist of IP address ranges to your security group to grant SFTP clients access your instance. See this article for more details.

If you need to make your SFTP Gateway accessible to the general public, you can allow port 22 traffic from all IP addresses by using 0.0.0.0/0.

Manual Setup

Before you launch an EC2 instance, first create an IAM role with the AmazonS3FullAccess policy. This role gives you access to S3.

  1. Go to IAM > Roles > Create Role.
  2. Choose EC2 as the trusted entity
  3. Attach the AmazonS3FullAccess managed policy, or for more restrictive permissions see Restrict S3 Access

Now you can launch an instance of SFTP Gateway:

  1. Go to the SFTP Gateway Marketplace page.

  2. Click the Continue to Subscribe button. continue<em>to</em>subscribe.png

  3. If you have not accepted the license agreement, click the Accept Terms button.

  4. In the SFTP Gateway banner at the top of the page, click the Continue to Configuration button. continue<em>to</em>configure.png

  5. In the fulfillment option dropdown, select Amazon Machine Image. select<em>amazon</em>machine_image.png

  6. Select the Region you wish to deploy the image in. select_region.png

  7. In the SFTP Gateway banner at the top of the page, click the Continue to Launch button. continue<em>to</em>launch.png

  8. In the choose action dropdown, select Launch from Website or Launch through EC2.

    • If you select to Launch through EC2, it will open the EC2 console with the AMI pre-selected. You can then move on to configuring the EC2 instance.
    • If you select to Launch from Website, you will stay on same page and the EC2 configuration option will be display on that page.

      Note: If you choose to launch the EC2 instance from the website, there will be no identifying Name tag associated with the instance, it will have the default 32 GB EBS volume, and you will need to assign an IAM role.

  9. Configure the instance through the EC2 console:

    • Choose an Instance Type: Use t2.micro for testing, m4.large or better is recommended for Production. You can modify the instance class after the fact.
    • Configure Instance Details: Select the VPC, Subnet, and IAM role you created earlier
    • Add Storage: Set the volume type to GP2. Use a storage size appropriate for your needs. You can increase this later using these instructions.
    • Add Tags: You can assign a Key = Name and Value = Identifier to distinguish your EC2 instances from one another.
    • Configure Security Group: Allow Port 22 traffic from anywhere 0.0.0.0/0, which is fine for an SFTP server.

Finally, configure the S3 bucket using the sftpgatewaysetup command

  1. Log into the EC2 instance
  2. Run the command sudo sftpgatewaysetup. This is creates an S3 bucket, and the appropriate properties files needed by SFTP Gateway. This command is only necessary for manual setup.

Note: You can set the name of the default bucket using the --bucket parameter: sudo sftpgatewaysetup --bucket your-s3-bucket-name.

Where to go from here

Once you’re done setting up your EC2 instance, refer to this article to set up an SFTP user.