AWSTemplateFormatVersion: "2010-09-09"
Description: "AWS Transfer Family SFTP with Lambda Identity Provider"
Resources:
## S3 バケット (SFTP のストレージ)
SFTPBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "sftp-storage-${AWS::AccountId}"
## Lambda 実行ロール
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "SFTP-Lambda-Execution-Role-${AWS::AccountId}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service: "lambda.amazonaws.com"
Action: "sts:AssumeRole"
Policies:
- PolicyName: "LambdaExecutionPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:*:*"
- Effect: "Allow"
Action:
- "s3:ListBucket"
- "s3:GetObject"
Resource:
- !GetAtt SFTPBucket.Arn
- !Sub "${SFTPBucket.Arn}/*"
## ユーザー認証用 Lambda 関数
SFTPLambdaAuth:
Type: AWS::Lambda::Function
Properties:
FunctionName: "SFTP-Lambda-Auth"
Runtime: python3.9
Role: !GetAtt LambdaExecutionRole.Arn
Handler: "index.lambda_handler"
Timeout: 10
Code:
ZipFile: |
import json
def lambda_handler(event, context):
username = event.get("username", "")
password = event.get("password", "")
# 簡単な認証チェック(実際はDBやSecrets Managerを利用)
if username == "testuser" and password == "testpass":
return {
"Role": "arn:aws:iam::123456789012:role/SFTPUserRole",
"HomeDirectory": "/s3-bucket",
"Policy": "",
"PublicKeys": []
}
else:
raise Exception("Unauthorized")
## AWS Transfer Family SFTP サーバー
SFTPServer:
Type: AWS::Transfer::Server
Properties:
Protocols:
- SFTP
IdentityProviderType: AWS_LAMBDA
IdentityProviderDetails:
Function: !GetAtt SFTPLambdaAuth.Arn
EndpointType: PUBLIC
Domain: S3
Outputs:
ServerId:
Description: "AWS Transfer Family Server ID"
Value: !Ref SFTPServer
LambdaFunction:
Description: "Lambda Function for User Authentication"
Value: !Ref SFTPLambdaAuth
S3Bucket:
Description: "S3 Bucket for SFTP"
Value: !Ref SFTPBucket
