5

I've set up a server under Amazon's new AWS Transfer for SFTP managed SFTP service according the user guide, but I've been unable to get it to work with a KMS encryption key. My SFTP client can authenticate fine, but when I attempt to put a file, the file uploads but then fails to save with a Couldn't close file: Failure error.

I have the role associated with my SFTP user in the list of Key Users, but I suspect something in the "step down" policy (that is used to prevent SFTP users from seeing other folders in the associated S3 bucket) is preventing the key from being used, because I tried removing the step-down policy, and then everything worked fine (but that then exposes the entire bucket to every user which is clearly unacceptable).

Any ideas what I need to add to the step-down policy (or the key policy) to allow the KMS key to be used in this way?

Jud
  • 1,158
  • 1
  • 8
  • 17
  • I am having a similar issue and would love to know the solution, however I am able to retrieve files, just not put them.. if I remove the step-down policy I am still unable to put files – Jeremy Jan 09 '19 at 01:33
  • In your case using KMS, I opted for AES, did you add the permissions to access the KMS keys with encryption and decryption this may help https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html – Jeremy Jan 09 '19 at 03:45
  • Did you ever figure this out? I'm stuck in the same boat. – Kirk Strauser Jan 16 '19 at 03:55
  • We gave up and switched to using the default AES key, which worked. – Jud Jan 16 '19 at 19:01
  • @Jud We made it work! – Kirk Strauser Jan 17 '19 at 17:55

1 Answers1

10

We found two problems that together caused this same error:

  • Although we'd enabled default encryption on our backing S3 bucket, we still had a policy in place to require encryption. AWS applies that policy before the default encryption, so even aws s3 cp commands without the --sse:aws:kms flag would fail. Removing that policy made aws s3 cp use the default encryption policy.
  • We needed to add a few kms:XXX permissions to the policy attached to the role attached to the SFTP user that we created. All together, our policy now looks like:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:ListBucket",
            "Resource": "${bucket_arn}",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "${bucket_arn}/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey"
            ],
            "Resource": "${kms_arn}",
            "Effect": "Allow"
        }
    ]
}

Applying that to the user made SFTP start working as hoped.

Kirk Strauser
  • 30,189
  • 5
  • 49
  • 65