Ensure that AWS CloudWatch logging is enabled for your Amazon Transfer for SFTP servers in order to track SFTP user activity and meet regulatory requirements. Amazon Transfer for SFTP is a fully managed service that allows you to transfer files over Secure File Transfer Protocol (SFTP) into and out of Amazon S3 storage. The SFTP user activity logs contain records of user authentication (success and failure), data uploads (PUT requests) and data downloads (GET requests).
FTP logging data can be extremely useful for security and compliance audits, tracking down issues or protecting against unauthorized user access. Once the Logging Activity feature is enabled, AWS CloudWatch Logs starts recording all SFTP user activity for your Amazon Transfer for SFTP servers.
To determine if your AWS Transfer for SFTP servers have Logging Activity feature enabled, perform the following actions:
Remediation / Resolution
To enable Activity Logging feature, you have to create first an IAM role so that your SFTP servers can assume this role and use it to call AWS CloudWatch service on your behalf. To enable SFTP user activity logging for your existing Amazon Transfer for SFTP servers, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable AWS Transfer for SFTP Logging Activity
Risk level: Medium