Use AWS PrivateLink for Transfer for SFTP Server Endpoints

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your AWS Transfer for SFTP server endpoints are configured to use VPC endpoints powered by AWS PrivateLink to improve security for internal applications that need SFTP access to Amazon S3.

Security

To eliminate the exposure of your internal applications data to the public Internet, configure your SFTP servers to use VPC endpoints built on top of AWS PrivateLink network. PrivateLink provides secure and private connectivity between VPCs and other AWS services and resources using a dedicated Amazon network.


Audit

To determine the endpoint type for your AWS Transfer for SFTP servers, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Choose the SFTP server that you want to examine, then click on the resource ID available in the Server ID column, to view the server configuration page.

05 On the resource configuration page, check the Endpoint type attribute value. If the value is Public, the endpoint of the selected Amazon Transfer for SFTP server is publicly accessible, therefore the server access configuration is not compliant.

06 Repeat step no. 4 and 5 to check the endpoint type for other SFTP servers provisioned in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-servers command (OSX/Linux/UNIX) to list the IDs of all SFTP servers available in the selected AWS region – in this case the US East (N. Virginia) region:

aws transfer list-servers
    --region us-east-1
    --output table
    --query 'Servers[*].ServerId'

02 The command output should return a table with the requested SFTP server IDs:

-------------------------
|      ListServers      |
+-----------------------+
|  s-0abcd1234abcd1234  |
|  s-01234567890123456  |
+-----------------------+

03 Execute describe-server command (OSX/Linux/UNIX) using the ID of the Secure File Transfer Protocol (SFTP) server that you want to examine as identifier parameter and custom query filters to return the endpoint type for the selected SFTP server:

aws transfer describe-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234
    --query 'Server.EndpointType'

04 The command output should return the request configuration information:

"PUBLIC"

If describe-server command output returns "PUBLIC", as shown in the example above, the endpoint of the selected Amazon Transfer for SFTP server is public and the resource can be accessible outside its VPC, therefore the server access configuration is not compliant.

05 Repeat step no. 3 and 4 to determine the server endpoint type for other SFTP servers available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To improve security for your internal applications that need SFTP access solely to Amazon S3, configure your SFTP servers to use VPC endpoints powered by AWS PrivateLink and make them accessible within their VPC only. To change the access endpoint from public to VPC for your existing SFTP servers, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Select the SFTP server that you want to reconfigure, click the Actions dropdown button from the dashboard top menu and select Stop to stop the selected server.

05 In the Stop <server-id> dialog box, click Stop to confirm the action. Wait for the Status of the server to change to Offline before going further with the process.

06 Now that the server is offline, click on the resource ID available in the Server ID column to view the server configuration page.

07 Within Server configuration section, click the Edit button to edit the resource configuration.

08 On the Edit configuration page, in the Endpoint configuration section, select VPC for the Endpoint type to change the server access endpoint from public to VPC.

09 Choose a VPC endpoint from VPC endpoint dropdown list if you already have created a VPC endpoint for your SFTP server or click Create a VPC endpoint button and follow the steps of the setup wizard to create a new VPC endpoint.

10 Once the appropriate VPC endpoint is selected, click Save to apply the changes.

11 Back to the resource configuration page, click Actions and choose Start to bring your server back online. The Endpoint type attribute value should be now changed to VPC.

12 If required, repeat steps no. 4 – 11 to change the endpoint type for other Amazon Transfer for SFTP servers available in the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Select the SFTP server that you want to reconfigure, click the Actions dropdown button from the dashboard top menu and select Stop to stop the selected server.

05 In the Stop <server-id> dialog box, click Stop to confirm the action. Wait for the Status of the server to change to Offline before going further with the process.

06 Now that the server is offline, click on the resource ID available in the Server ID column to view the server configuration page.

07 Within Server configuration section, click the Edit button to edit the resource configuration.

08 On the Edit configuration page, in the Endpoint configuration section, select VPC for the Endpoint type to change the server access endpoint from public to VPC.

09 Choose a VPC endpoint from VPC endpoint dropdown list if you already have created a VPC endpoint for your SFTP server or click Create a VPC endpoint button and follow the steps of the setup wizard to create a new VPC endpoint.

10 Once the appropriate VPC endpoint is selected, click Save to apply the changes.

11 Back to the resource configuration page, click Actions and choose Start to bring your server back online. The Endpoint type attribute value should be now changed to VPC.

12 If required, repeat steps no. 4 – 11 to change the endpoint type for other Amazon Transfer for SFTP servers available in the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run stop-server command (OSX/Linux/UNIX) to change the state of the specified SFTP server from ONLINE to OFFLINE (the command does not produce an output):

aws transfer stop-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234

02 Run update-server command (OSX/Linux/UNIX) using the ID of the Secure File Transfer Protocol (SFTP) server that you want to reconfigure, stopped at the previous step, and the ID of the required VPC endpoint as command parameters, to change the selected resource endpoint type from public to VPC:

aws transfer update-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234
    --endpoint-type VPC_ENDPOINT
    --endpoint-details VpcEndpointId=vpce-0aaaabbbbccccdddd

03 The command output should return the command request metadata, in this case the ID of the modified SFTP server:

{
    "ServerId": "s-0abcd1234abcd1234"
}

04 Run start-server command (OSX/Linux/UNIX) to bring the reconfigured SFTP server back online (the command does not produce an output):

aws transfer start-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234

05 If required, repeat steps no. 1 – 4 to change the endpoint type for other Amazon Transfer for SFTP servers available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.

References

Publication date Apr 19, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use AWS PrivateLink for Transfer for SFTP Server Endpoints

Risk level: Medium