Building an AWS Transfer Family service
Specifically created to use a VPC Endpoint
So recently I had to undertake the building of a new SFTP service to allow users access to several S3 buckets in an AWS account. In the past, we have used the AWS Transfer Family service to do this but left the default settings which created a publically available endpoint.
When creating a service straight out of the box, so to speak, it assigns a serverId to the endpoint with the remaining part of the endpoint as .server.transfer.<regionId>.amazonaws.com. This endpoint is publically available and protected by a public / private key combination and username.
The other two options available when creating the service are VPC and VPC Endpoint. We decided to use VPC Endpoint, although with a little more research the VPC option is also a good choice. Another article, maybe?
The repo above contains the modules required to build out a working SFTP service with some minor tweaks, assuming you have a working VPC and S3 bucket.
The modules are written to provide the following:
- Single / Multiple users
- Read-Only access (by default) unless specified
- IAM policy created by variables entered
- The creation of the public/private SSH keys
Pull the code from the repo, make alterations as required and let me know if it was useful. The Terraform provided is working fine for my purpose at this time and although it isn’t perfect, it is useable.
Please note that using VPC Endpoint will only be available until March 31st 2021. After this time you will not be able to build new services with this feature.