I want my AWS Transfer Family server in account A to access an Amazon Simple Storage Service (Amazon S3) bucket in another account, that is, account B. I want to set up my server with cross-account access to the bucket.
Short description
Follow these steps:
- Create an AWS Identity and Access Management (IAM) role in account A with access to the bucket.
- Update the bucket policy to grant cross-account access to the IAM role in account B.
- Create a Transfer Family server user that's configured with the IAM role in account A.
- Verify that your Transfer Family server user in account A can access the S3 bucket in account B.
- (Optional) Set S3 Object Ownership to bucket owner preferred in account B.
Note: The AWS Transfer Family console shows only the Amazon S3 buckets in the same account. To use your Transfer Family server with a bucket in another account, you must use the AWS Command Line Interface (AWS CLI) or an AWS SDK.
Resolution
Create an IAM role in account A with access to the bucket
Create an IAM role for your server users. For the role's IAM policy, use the following:
Note: Replace destination-DOC-EXAMPLE-BUCKET with the name of the S3 bucket that you want your server to access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListingBucketReadandWriteandDelete",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET"
]
}
]
}
Note: The Transfer Family requires s3:PutObjectAcl permission to make cross-account S3 uploads.
After you create the IAM role, get the role's ID by running the get-role command, similar to the following:
$ aws iam get-role --role-name "ROLE_NAME"
You need the role ID for the next step.
Update the bucket policy to grant cross-account access to the IAM role in account B
Modify the destination bucket's policy to grant access to the IAM role that you created. You can use a bucket policy similar to the following:
Note: Replace arn:aws:iam::123456789012:root with the Amazon Resource Name (ARN) of the account that your server belongs to. Replace destination-DOC-EXAMPLE-BUCKET with the name of the bucket. Replace AROA1234567890 with the role ID of the IAM role that you created.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketPolicyForTransferFamily",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::destination-DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringLike": {
"aws:userId": "AROA1234567890:*"
}
}
}
]
}
The Condition element in this example policy is optional. Include the Condition element to grant bucket access only to the IAM role that you specify. Or, remove the element to grant access to all IAM roles and users from the account that your server belongs to.
Create a Transfer Family server user configured with the IAM role in account A
1. Generate SSH keys for your Transfer Family server.
2. Get the server ID of your server.
3. Run the create-user command using the AWS CLI. For --server-id, enter the ID of your server. For --role, enter the ARN of the IAM role that you created. For --ssh-public-key-body, enter the contents of the .pub file that you generated when you created SSH keys.
$ aws transfer create-user --user-name "MY_SERVER_USER_NAME" --server-id "MY_SERVER_ID" --role "MY_IAM_ROLE_ARN" --home-directory "/destination-DOC-EXAMPLE-BUCKET/MY_SERVER_USER_NAME" --ssh-public-key-body "CONTENTS_OF_MY_SSH_.PUB_FILE"
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
The command returns the server ID and the user that you created:
{
"ServerId": "MY_SERVER_ID",
"UserName": "MY_SERVER_USER_NAME"
}
Important: To limit the server user's access to only its home directory, create a scope-down policy in IAM. Then, edit the server user's properties to apply the scope-down policy that you created.
Verify that your Transfer Family server user in account A can access the bucket in account B
1. Connect to your server as the user that you created. For example, this OpenSSH command connects to an SFTP server:
$ sftp -i myserveruser MY_SERVER_USER_NAME@MY_SERVER_ID.server.transfer.us-east-1.amazonaws.com
2. As a test, list the home directory of the bucket. If you're using OpenSSH, run this command:
$ ls
If the command returns the home directory, then your server user has cross-account access to the bucket.
(Optional) Set S3 Object Ownership to bucket owner preferred in account B
By default, an Amazon S3 object is owned by the AWS account that uploaded the object. This means that the objects uploaded to the destination bucket are owned by the source server's account by default.
To activate the destination account to automatically own objects from cross-account uploads, set the destination bucket's S3 Object Ownership to bucket owner preferred. After you do this, all new objects uploaded through the AWS Transfer Family server are automatically owned by the destination bucket's account.
Related information
CreateUser (AWS Transfer Family User Guide)
Add a user (AWS Transfer Family User Guide)
How Amazon S3 authorizes a request