Creating Standard SFTP Users¶
Introduction¶
This document outlines the procedure for creating standard SFTP users for the AWS File Transfer SFTP Server. These users will have specific permissions and access levels to ensure secure file transfers while maintaining compliance with organisational policies.
Procedure¶
The procedure has two stages, one for Platform Support and one for the service platform engineer:
Platform Support¶
-
Clone Gitlab repo and create a branch.
-
Create a new policy in the iam-policy-standard-users.tf file using the example below. You will need to update the s3 bucket details with the correct bucket details:
module "sftp_testing_user_iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
version = "6.4.0"
name = "NHSBSA_SFTPTestingUserPolicy"
path = "/"
description = "Policy for testing SFTP user"
policy = data.aws_iam_policy_document.sftp_testing_user.json
}
data "aws_iam_policy_document" "sftp_testing_user" {
statement {
sid = "ListHomeBucket"
effect = "Allow"
actions = [
"s3:ListBucket"
]
resources = [
module.sftp_testing_bucket.s3_bucket_arn
]
condition {
test = "StringLike"
variable = "s3:prefix"
values = ["test/*"]
}
}
statement {
sid = "ObjectAccessHomeBucket"
effect = "Allow"
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
]
resources = [
"${module.sftp_testing_bucket.s3_bucket_arn}/test",
"${module.sftp_testing_bucket.s3_bucket_arn}/test/*"
]
}
statement {
sid = "CloudWatchLogs"
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
]
resources = ["*"]
}
}
- Create a role that utilises the policy from step 2, as per the example below:
module "sftp_testing_user_iam_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role"
version = "6.4.0"
name = "NHSBSA_SFTPTestingUserRole"
use_name_prefix = false
trust_policy_permissions = {
TrustTransferFamilyToAssume = {
actions = [
"sts:AssumeRole",
"sts:TagSession"
]
principals = [
{
type = "Service"
identifiers = ["transfer.amazonaws.com"]
}
]
}
}
policies = {
sftp_testing_user = module.sftp_testing_user_iam_policy.arn
}
}
- Create a new block in the resource "aws_secretsmanager_secret_version" "ft_sftp_users" for the new user as per the below example:
"sftp-test-user" = {
auth_mode = "key_only"
public_keys = [local.operations_ssh["operations"]]
role = module.sftp_testing_user_iam_role.arn
target_path = "/${module.sftp_testing_bucket.s3_bucket_id}/test"
use_workflow = false
}
There are the following options for auth_mode:
| auth_mode value | Description |
|---|---|
| password_or_key | Password OR SSH key (default) |
| password_only | Password only |
| key_only | SSH key only |
| password_and_key | Requires both password + SSH key |
If you have a password in your auth your secret block must include the password field. This should be pulled from secrets manager.
- Push your branch back into the repo and the pipeline should run. If all looks well after the pipeline has run, merge the branch into main and run the deploy job at the end of the pipeline.
Service Platform Engineer¶
- The platform engineer will need to add the following policy to their s3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketPolicyForTransferFamily",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${var.sftp_accounts[terraform.workspace]}:NHSBSA_SFTPTestingUserRole"
},
"Action": [
"s3:PutObject*",
"s3:GetObject*",
"s3:DeleteObject*",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket-name-here",
"arn:aws:s3:::bucket-name-here/*"
]
}
]
}
- They will also need to add the following to their variables.tf file: