Documentation » Using WinSCP » Guides » Cloud Computing » Amazon AWS »

Setting up an SFTP Access to Amazon S3

Note that WinSCP supports a direct access to S3 storage.

If you need to access/manage files stored on Amazon S3 (Simple Storage Service) bucket via SFTP, there are two options. You can use a native managed SFTP service recently added by Amazon (which is easier to set up). Or you can mount the bucket to a file system on a Linux server and access the files using the SFTP as any other files on the server (which gives you greater control).

Advertisement

Managed SFTP Service

Creating Managed SFTP Server

  • To create a Managed SFTP server for S3, in your Amazon AWS Console, go to AWS Transfer for SFTP and create a new server (you can keep server options to their defaults for a start).
  • In SFTP server page, add a new SFTP user (or users).
    • Permissions of users are governed by an associated AWS role in IAM service. To create a role which has a full access to all your S3 buckets, just create an S3 service role with AmazonS3FullAccess policy.
      The role must have trust relationship to transfer.amazonaws.com. On a role page, select Trust relationships tab, click Edit trust relationship button, and in the access control policy JSON document, change Statement[].Principal.Service value to transfer.amazonaws.com:1
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "transfer.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
    • Generate a key pair for your new user and paste public key fingerprint to SSH public keys box (use the format you would otherwise use for OpenSSH authorized_keys file).

Connecting to Managed SFTP Server

You can connect to the managed SFTP server as to any other SFTP server.

Advertisement

The host name of the server can be found on the server page as Endpoint in a format server_id.server.transfer.region.amazonaws.com.

Mounting Bucket to Linux Server

This guide shows how to mount the S3 bucket using s3fs file system to an Amazon EC2 server and access it using WinSCP.

Creating Access Server

If you do not have a Linux server available for the mounting, launch a new Amazon EC2 server.

A basic Amazon Linux AMI (free tier eligible) server will generally suffice and the following instructions are tested on this distribution. Instructions for other distributions may differ.

Installing s3fs

Start by installing s3fs file system.

Mounting S3 Bucket to File System

  • Switch to root:
    sudo su
  • Store security credentials that will be used to access the S3 bucket to /etc/passwd-s3fs:
    echo <access-key-id>:<secret-access-key> > /etc/passwd-s3fs
    chmod 600 /etc/passwd-s3fs
    (Replace the <access-key-id> and <secret-access-key> with the actual values)
  • Create mount point (example):
    mkdir /mnt/<bucket>
  • Add entry to fstab to mount the bucket:
    echo s3fs#<bucket> /mnt/<bucket> fuse _netdev,rw,nosuid,nodev,allow_other,nonempty 0 0 >> /etc/fstab
    (Replace the leading <bucket> with your bucket name and the /mnt/<bucket> with the mount point)
  • Mount the bucket:
    mount -a

Connecting to the Access Server to Manage the Bucket

Further reading

  1. Based on the answer by @ChristopherTull to Connecting to AWS Transfer for SFTP on Stack Overflow.Back

Last modified: by martin