AWS Compute Services

SFTP on Your Ubuntu EC2 Instance – Quick and Simple Setup

3 min read
Updated June 21, 2025
5,812 characters

Quick SFTP Setup on Ubuntu EC2

This cheat sheet provides a straightforward guide to setting up a secure, chrooted SFTP user on an Ubuntu EC2 instance. This restricts the user to a specific directory and only allows file transfer operations, not a full shell session.

Step 1: Create a Dedicated SFTP User

First, create a new user account that will be used exclusively for SFTP access. You will be prompted to set a password for this user.

sudo adduser sftp_user

(Replace sftp_user with your desired username)

Step 2: Create a Directory for File Transfers

Create a directory where the SFTP user will upload their files. It's important to set the ownership and permissions correctly to create a secure chroot jail.

The SFTP user's home directory (/home/sftp_user) must be owned by root. The user will not be able to write to this directory, which is a security requirement for the chroot jail.

Inside the home directory, create an "uploads" directory that the sftp_user will own, allowing them to upload files there.

# Create the uploads directory
sudo mkdir -p /home/sftp_user/uploads

# Set the sftp_user as the owner of the "uploads" directory
sudo chown sftp_user:sftp_user /home/sftp_user/uploads

# Ensure the user's home directory is owned by root (critical for chroot)
sudo chown root:root /home/sftp_user

Step 3: Configure the SSH Daemon for SFTP

Next, modify the SSH daemon configuration file (/etc/ssh/sshd_config) to add rules for your new SFTP user.

Open the file with a text editor:

sudo nano /etc/ssh/sshd_config

Scroll to the very end of the file and add the following block:

# SFTP User Configuration
Match User sftp_user
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /home/sftp_user
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

Explanation of Directives:

  • Match User sftp_user: This line tells SSH that the following rules should only apply to the user named sftp_user.
  • ForceCommand internal-sftp: This is the most critical directive. It forces the user to only use the internal SFTP service and prevents them from gaining shell access.
  • PasswordAuthentication yes: Allows the user to connect using the password you set earlier.
  • ChrootDirectory /home/sftp_user: This "jails" the user in their home directory. They will not be able to see or navigate any other part of the server's filesystem.
  • Allow... no / X11Forwarding no: These disable various types of SSH tunneling and forwarding, further enhancing security by limiting the user's capabilities.

Save the file and exit the editor (in nano, press CTRL+X, then Y, then Enter).

Step 4: Restart the SSH Service

For the changes to take effect, you must restart the SSH daemon.

sudo systemctl restart sshd

Step 5: Test the SFTP Connection

You can now test the setup using any SFTP client (like FileZilla, Cyberduck, or WinSCP) or the command line.

Connection Details:

  • Protocol: SFTP
  • Host: Your EC2 instance's Public IP address
  • Port: 22
  • Username: sftp_user
  • Password: The password you created in Step 1.

When you connect, you should be placed directly into a directory structure where you only see the uploads folder. You will be able to navigate into uploads and transfer files there, but you will not be able to go to a higher-level directory like /home or /etc.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All