The AWS Transfer Server provides a SFTP as a service. If you want to migrate from an existing SFTP server, you can add your own host keys. Unfortunately, host keys are not supported with Cloudformation. This custom provider add host keys and allows you to define the set of active keys of the server.
Add transfer server host key
To add a Transfer Server host key in your AWS CloudFormation template, use the following syntax:
TransferServerHostKey:
Type: Custom::TransferServerHostKey
Properties:
ServerId: !GetAtt Server.ServerId
HostKeyParameterName: !GetAtt HostKey.ParameterName
Description: Generated by CloudFormation
Version: !GetAtt HostKey.Hash
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'
This reads the key from the parameter /private-keys/sftp-server
and adds it as a host key to the specified server. See Custom::TransferServerHostKey for details. You can generate a host key using the Custom::RSAKey. Alternatively, you can encrypt an existing key and add it into the parameter store using the Custom::Secret as EncryptedContent.
Define active transfer server host key set
When you add new host keys to a transfer server, they are not automatically active. If multiple keys are present, the Transfer Server uses the oldest key available. You explicitly need to activate the new key, by deleting the old key of the same type.
To define the set of active host keys, use the Custom::TransferServerActiveHostKeys as follows:
TransferServerActiveHostKeys:
Type: Custom::TransferServerActiveHostKeys
Properties:
ServerId: !GetAtt Server.ServerId
Fingerprints:
- !GetAtt TransferServerHostKey.Fingerprint
ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'
This ensures the server’s active host key set consists of the keys with the specified fingerprints. It deletes all other host keys associated with the server Make sure that you specify the fingerprints of all the keys you want to keep.
Installation
To install this custom resource provider, type:
aws cloudformation create-stack
--capabilities CAPABILITY_IAM
--stack-name cfn-transfer-server-host-key-provider
--template-url s3://binxio-public-eu-central.s3.amazonaws.com/lambdas/cfn-transfer-server-host-key-provider-0.1.1.yaml
Demo
To install the simple demo of the Custom TransferServerHostKey and TransferServerActiveHostKeys, type:
git clone https://github.com/binxio/cfn-transfer-server-host-key-provider.git
cd cfn-transfer-server-host-key-provider
aws cloudformation deploy
--capabilities CAPABILITY_NAMED_IAM
--stack-name cfn-transfer-server-host-key-provider-demo
--template-file file://cloudformation/demo.yaml
--parameter-overrides SecretProviderPresent=no
This assumes that the custom secret provider is not installed. To check the result, type:
$ SERVER_ID=$(aws cloudformation describe-stacks --stack-name cfn-transfer-server-host-key-provider-demo --query 'Stacks[0].Outputs[?OutputKey==<code>ServerId
].OutputValue' --output text) $ SERVER_REGION=$(aws configure get region) $ SERVER_HOST=$SERVER_ID.server.transfer.$SERVER_REGION.amazonaws.com $ FINGERPRINT=$(aws cloudformation describe-stacks --stack-name cfn-transfer-server-host-key-provider-demo --query 'Stacks[0].Outputs[?OutputKey==Fingerprint
].OutputValue' --output text) $ echo "expect: $FINGERPRINT" $ ssh-keyscan $SERVER_HOST 2>&1 | ssh-keygen -lf -
Conclusion
With these two custom resources, you can use AWS CloudFormation to manage the host keys of your AWS SFTP transfer servers.
Image by Gerd Altmann from Pixabay