Top / Amazon Web Service / AWS Transfer Family / Access

AWS Transfer Family Access

This page shows how to write Terraform and CloudFormation for AWS Transfer Family Access and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_transfer_access (Terraform)

The Access in AWS Transfer Family can be configured in Terraform with the resource name aws_transfer_access. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • external_id - (Required) The SID of a group in the directory connected to the Transfer Server (e.g., S-1-1-12-1234567890-123456789-1234567890-1234)
  • server_id - (Required) The Server ID of the Transfer Server (e.g., s-12345678)
  • home_directory - (Optional) The landing directory (folder) for a user when they log in to the server using their SFTP client. It should begin with a /. The first item in the path is the name of the home bucket (accessible as ${Transfer:HomeBucket} in the policy) and the rest is the home directory (accessible as ${Transfer:HomeDirectory} in the policy). For example, /example-bucket-1234/username would set the home bucket to example-bucket-1234 and the home directory to username.
  • home_directory_mappings - (Optional) Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. See Home Directory Mappings below.
  • home_directory_type - (Optional) The type of landing directory (folder) you mapped for your users' home directory. Valid values are PATH and LOGICAL.
  • policy - (Optional) An IAM JSON policy document that scopes down user access to portions of their Amazon S3 bucket. IAM variables you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}. Since the IAM variable syntax matches Terraform's interpolation syntax, they must be escaped inside Terraform configuration strings ($${Transfer:UserName}). These are evaluated on-the-fly when navigating the bucket.
  • posix_profile - (Optional) Specifies the full POSIX identity, including user ID (Uid), group ID (Gid), and any secondary groups IDs (SecondaryGids), that controls your users' access to your Amazon EFS file systems. See Posix Profile below.
  • role - (Required) Amazon Resource Name (ARN) of an IAM role that allows the service to controls your user’s access to your Amazon S3 bucket.

Home Directory Mappings

  • entry - (Required) Represents an entry and a target.
  • target - (Required) Represents the map target.

Posix Profile

  • gid - (Required) The POSIX group ID used for all EFS operations by this user.
  • uid - (Required) The POSIX user ID used for all EFS operations by this user.
  • secondary_gids - (Optional) The secondary POSIX group IDs used for all EFS operations by this user.

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the resource

>> from Terraform Registry

Explanation in Terraform Registry

Provides a AWS Transfer Access resource.

>> from Terraform Registry

AWS::Transfer::User (CloudFormation)

The User in Transfer can be configured in CloudFormation with the resource name AWS::Transfer::User. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

transfer.yml#L63
    Type: AWS::Transfer::User
    Properties:
      UserName: !Ref UserName
      HomeDirectory: '/s3-iepro/amanda'
      Role: !GetAtt SftpAccessRole.Arn
      ServerId: !GetAtt SftpServer.ServerId
SFTP-S3-UserCreation.yml#L33
    Type: AWS::Transfer::User
    Properties:
      ServerId: !Ref SFTPServerId
      UserName: !Ref 'SFTPUserName'
      HomeDirectory: !Ref 'HomeDirectory'
      Policy: >
template-basic.yml#L27
    Type: AWS::Transfer::User
    Properties:
      Role: !GetAtt UserRole.Arn
      ServerId: !GetAtt Server.ServerId
      UserName: dummyuser
      SshPublicKeys:
IaC.yml#L21
        Type: AWS::Transfer::User
        Properties:
          HomeDirectory: /sftp-realblocks
          Role: !Sub "arn:aws:iam::${AWS::AccountId}:role/Transfer-S3"
          ServerId: !GetAtt SftpServer.ServerId
          SshPublicKeys:
sftp_user.yml#L18
    Type: AWS::Transfer::User
    Properties:
      UserName: !Ref UserName
      HomeDirectory: !Ref HomeDirectory
      Role: !Ref Role
      ServerId: !Ref ServerId
transfer-sftp-template.json#L67
      "Type": "AWS::Transfer::User",
      "Properties": {
        "HomeDirectoryType": "LOGICAL",
        "HomeDirectoryMappings": [
          {
            "Entry": "/",
TransferUserSpecification.json#L3
    "AWS::Transfer::User.HomeDirectoryMapEntry": {
      "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-user-homedirectorymapentry.html",
      "Properties": {
        "Entry": {
          "Required": true,
          "Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-user-homedirectorymapentry.html#cfn-transfer-user-homedirectorymapentry-entry",
template.json#L2539
    "AWS::Transfer::User": {
      "Type": "AWS::Transfer::User",
      "Properties": {}
    },
    "AWS::EventSchemas::Schema": {
      "Type": "AWS::EventSchemas::Schema",
cloudFormationSftp.json#L252
    "Type": "AWS::Transfer::User",
    "Properties": {
      "HomeDirectoryMappings": [
        {
          "Entry": {
            "Ref": "SftepServerEntryFiles"
sftp-user.json#L210
            "Type": "AWS::Transfer::User",
            "Properties": {
                "HomeDirectory": {
                    "Fn::Sub": "/${SftpBucket}/${RemoteUserName}"
                },
                "Role": {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::Transfer::User resource creates a user and associates them with an existing server. You can only create and associate users with servers that have the IdentityProviderType set to SERVICE_MANAGED. Using parameters for CreateUser, you can specify the user name, set the home directory, store the user's public key, and assign the user's AWS Identity and Access Management (IAM) role. You can also optionally add a session policy, and assign metadata with tags that can be used to group and search for users.

>> from AWS CloudFormation Documentation

The Other Related AWS Transfer Family Resources

Frequently asked questions

What is AWS Transfer Family Access?

AWS Transfer Family Access is a resource for Transfer Family of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Transfer Family Access?

For CloudFormation, the mandalvesq/iac, pavantocemca40/DevOps and agibalov/aws-experiment source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents