SFTP Server on AWS User Guide
Overview
This image runs a production ready SFTP file transfer server built on OpenSSH, the open source secure shell suite. The SFTP service is fully configured and security hardened, so you can onboard users and move files securely within minutes of launch without hand editing the SSH daemon configuration.
Every SFTP user is locked into their own home directory with an OpenSSH chroot jail. A user can only see and write inside their own space, never the rest of the filesystem, and is given no interactive shell. User home directories live on a dedicated, independently resizable storage volume mounted at /srv/sftp, kept separate from the operating system disk.
The image ships key only, which is the secure default and a requirement of the AWS Marketplace image scan. SFTP users authenticate with an SSH key out of the box, and you can enable password authentication for SFTP users with a single command (it is also turned on automatically the first time you create a password user). The administrator account always stays key only. A small set of management tools, sftp-adduser, sftp-deluser, sftp-listusers, sftp-passwd and sftp-password-auth, is the primary interface to the server. The image is hardened by default with fail2ban brute force protection, per user disk quotas, and transfer audit logging that records every upload, download and delete to the system journal.
On the first boot of every deployed instance, a one shot service creates a demo SFTP user named sftpdemo with a fresh SSH key unique to that instance and records its details in a root only file, so you can confirm the server works immediately and then remove it once your own users exist.
Prerequisites
Before you deploy this image you need:
- An Amazon Web Services account where you can launch EC2 instances
- IAM permissions to launch instances, create security groups, and subscribe to AWS Marketplace products
- An EC2 key pair in the target Region for administrator SSH access to the instance
- A VPC and subnet in the target Region, with a security group allowing inbound port 22 from the networks your SFTP users and administrators connect from
- The AWS CLI version 2 installed locally if you plan to deploy from the command line, and an SFTP client (the
sftpcommand line tool, FileZilla, Cyberduck or WinSCP) to connect as a user
Step 1: Launch the Instance from the AWS Marketplace
Sign in to the AWS Management Console, open the EC2 service, and select Launch instance. Under Application and OS Images choose AWS Marketplace AMIs and search for SFTP Server. Select the cloudimg listing and choose Select, then Continue on the subscription summary.
Pick an instance type of m5.large or larger as a balanced default; size the instance to the number of users and the transfer volume you expect. Choose your EC2 key pair under Key pair (login) for administrator access. Under Network settings select your VPC and subnet, and either create or select a security group that allows inbound port 22 from the networks your SFTP users connect from. SFTP rides on the SSH port, so only port 22 is required.
Select Launch instance. First boot initialisation takes only a few seconds after the instance state becomes Running and the status checks pass.
Step 2: Launch the Instance from the AWS CLI
The following block launches an instance from the cloudimg SFTP Server Marketplace AMI into an existing subnet and security group. Replace <ami-id> with the AMI ID shown on the Marketplace listing, <key-name> with your EC2 key pair name, <subnet-id> with your subnet ID, and <security-group-id> with a security group that opens port 22 from the networks your users connect from.
aws ec2 run-instances \
--image-id <ami-id> \
--instance-type m5.large \
--key-name <key-name> \
--subnet-id <subnet-id> \
--security-group-ids <security-group-id> \
--block-device-mappings '{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":30,"VolumeType":"gp3"}}' \
--metadata-options 'HttpTokens=required,HttpEndpoint=enabled' \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=sftp-server}]'
The image attaches a dedicated 50 GiB SFTP storage volume automatically, mounted at /srv/sftp, where every user's chroot home directory lives. To start with more storage, enlarge that volume on the Storage step in the console, or add a second block device mapping on the CLI.
Step 3: Connect as the Administrator over SSH
Connect to the instance with SSH as the default login user for the operating system variant you launched. The administrator account is SSH key only. The login user differs by variant:
| Operating system variant | SSH login user |
|---|---|
| Ubuntu 26.04 | ubuntu |
Replace <key-file> with the path to your private key file and <instance-public-ip> with the public IP address or DNS name of the instance.
ssh -i <key-file> ubuntu@<instance-public-ip>
All of the user management commands below are run as the administrator with sudo.
Step 4: The Built In Demo User
On first boot the server creates a demo SFTP user named sftpdemo with a fresh SSH key unique to your instance. Read its details and the path to its private key from the root only information file:
sudo cat /root/sftp-server-info.txt
The demo user's private key is written to /root/sftp-demo-key. Copy it to your client to connect as the demo user and confirm the server works (see Step 8). The demo user is confined to its own home directory, exactly like any user you create. Once your own users exist you should remove the demo user in production:
sudo sftp-deluser sftpdemo --yes
Step 5: Authentication Model
The image ships key only: password authentication is disabled by default, which is the secure baseline and is required to pass the AWS Marketplace image scan. SSH key users work immediately. When you want password logins for SFTP users, enable them with one command (the administrator account always remains key only):
sudo sftp-password-auth on
Check or turn the setting off at any time with sudo sftp-password-auth status and sudo sftp-password-auth off. Creating a password based user (next step) turns this on for you automatically.
Step 6: Create a Password Based SFTP User
Create a user who authenticates with a password. The --password generate option creates a strong random password and prints it once; give it to the user over a secure channel. To set a specific password instead, use --password '<value>'. The first time you create a password user, SFTP password authentication is enabled automatically.
sudo sftp-adduser alice --password generate
The tool creates the account with no shell, adds it to the sftpusers group, and builds the chroot home directory at /srv/sftp/alice with a single user writable subdirectory, upload. The user connects on port 22 and lands directly in their home directory.
Step 7: Create an SSH Key Based SFTP User
Create a user who authenticates with an SSH key. Pass the user's public key with --ssh-key, either inline or, as shown here, from a file with the @ prefix. This example generates a demonstration key pair first; in practice the user supplies their own public key.
ssh-keygen -t ed25519 -f /tmp/bob_key -N '' -q
sudo sftp-adduser bob --ssh-key @/tmp/bob_key.pub
The public key is stored in the central, root owned location /etc/ssh/authorized_keys.d/bob, outside the user's jail, so the key cannot be tampered with by the user and the chroot ownership rules are always satisfied. A key based user created without a password cannot log in with a password at all. You can give a user both a password and a key by passing both options.
Step 8: Per User Disk Quotas
Cap how much storage a user can consume with --quota. This protects the shared volume so that no single user can fill the disk. The size accepts a G, M or K suffix.
sudo sftp-adduser carol --password generate --quota 10G
You can review every user's state, including the number of keys and current upload directory usage, at any time:
sudo sftp-listusers
Step 9: Connecting as an SFTP User
SFTP users connect on port 22 and are dropped straight into their home directory; their only writable area is the upload directory. From the sftp command line client, a password user connects like this (they will be prompted for the password):
sftp alice@<instance-public-ip>
A key based user connects with their private key:
sftp -i bob_key bob@<instance-public-ip>
Once connected, a user uploads and downloads files inside their upload directory:
sftp> cd upload
sftp> put localfile.txt
sftp> get remotefile.txt
sftp> bye
The server works with any standard SFTP client. In a graphical client, use these settings:
| Setting | Value |
|---|---|
| Protocol | SFTP (SSH File Transfer Protocol) |
| Host | the instance public IP or DNS name |
| Port | 22 |
| Username | the SFTP user name, for example alice |
| Password or key | the generated password, or the user's private key |
Step 10: How the Home Directory Lock Works
Every SFTP user is confined to their own directory by an OpenSSH chroot jail. The jail root, the user's home directory, is owned by root and is not writable by the user; this is an OpenSSH requirement and is what makes the lock secure. Inside it, a single upload directory is owned by the user and is where they read and write files.
sudo ls -la /srv/sftp/alice
A locked user cannot leave their home directory, cannot see other users' files, and cannot reach the rest of the operating system. Listing the root of their session shows only the upload directory, and attempts to retrieve a system file such as /etc/passwd fail because that path does not exist inside the jail.
Step 11: Transfer Audit Logging
Every SFTP session and every file operation, upload, download, rename and delete, is recorded to the system journal for compliance and troubleshooting. Review the audit trail with:
sudo journalctl -t internal-sftp --no-pager --since today | tail -20
Each entry records the user, the operation and the path, so you have a complete record of who transferred what and when.
Step 12: Managing Users
Reset or lock a user's password at any time. Locking the password leaves any SSH key the user has in place:
sudo sftp-passwd alice generate
Remove a user when they no longer need access. By default the account is removed and you are reminded that the data remains; add --yes to delete the user's files as well, or --keep-data to keep them deliberately:
sudo sftp-deluser bob --yes
The full set of management tools is:
| Command | Purpose |
|---|---|
sftp-adduser <name> [--password generate\|<value>] [--ssh-key @file\|"key"] [--quota <size>] |
Create or update an SFTP user |
sftp-passwd <name> [--password <value>\|generate\|--lock] |
Set, generate or lock a user's password |
sftp-listusers [--json] |
List users with auth method, key count and usage |
sftp-deluser <name> [--keep-data] [--yes] |
Remove a user, optionally with their data |
Step 13: Hardening Notes
The image is hardened out of the box, and you can tighten it further:
- Brute force protection. fail2ban watches for repeated failed logins on port 22 and bans offending addresses with an increasing ban time. Check the jail and currently banned addresses with
sudo fail2ban-client status sshd. - Network exposure. Restrict the inbound port 22 rule in the instance's security group to the specific networks your users and administrators connect from, rather than leaving it open to the whole internet.
- Administrator access. The administrator account accepts SSH keys only; password authentication is disabled for it, so only SFTP users in the
sftpusersgroup can use passwords. - Dedicated volume. Snapshot and resize the
/srv/sftpvolume independently of the operating system disk to back up or grow user storage on its own schedule.
Support
This image is supported 24/7 by cloudimg. We can help with SFTP user onboarding, SSH key management, chroot configuration, disk quotas, transfer auditing and secure file transfer architecture. Contact details and your support entitlement are provided with your AWS Marketplace subscription.