Publicly accessible SFTP Server Endpoints

Ensure that AWS Transfer for SFTP server endpoints is configured to use VPC endpoints.

Risk Level: High

Description:

Ensure that AWS Transfer for SFTP server endpoints is configured to use VPC endpoints.

Recommended Action: Configure the SFTP server endpoints to use endpoints powered by PrivateLink.

About the Service :

AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services AWS Transfer Family supports transferring data from Amazon Simple Storage Service (Amazon S3) storage, Amazon Elastic File System (Amazon EFS) Network File System (NFS) file system, etc..

Impact: 

Configure your SFTP servers to use VPC endpoints created on top of the AWS PrivateLink network to prevent data from your internal applications from being exposed to the public Internet. Using a specialized Amazon network, PrivateLink provides safe and private connectivity between VPCs and other AWS services and resources.

Steps to reproduce :

  1. Sign in to your AWS Management Console.
  2. Navigate to the AWS Transfer for SFTP service dashboard at: https://console.aws.amazon.com/transfer/
  3. In the navigation panel, under SFTP, choose Servers.
  4. To visit the server settings page for an SFTP server, select it and then click on the resource ID available in the Server ID field.
  5. Check the Endpoint type attribute value on the resource configuration page. The server access configuration is not compliant if the value is Public since the endpoint of the selected Amazon Transfer for the SFTP server is publicly available.
  6. Repeat steps no. 4 and 5 to check the endpoint type for other SFTP servers provisioned in the current region as well as in other regions.

Steps for remediation :

  1. Sign in to your AWS Management Console.
  2. Navigate to the AWS Transfer for SFTP service dashboard at: https://console.aws.amazon.com/transfer/
  3. In the navigation panel, under SFTP, choose Servers.
  4. Select the SFTP server you wish to reconfigure from the dashboard top menu, then click the Actions dropdown button and select Stop to stop the specified server.
  5. To finalise the action, click Stop in the Stop <server-id> dialogue box. Before continuing with the process, wait for the server's status to change to Offline.
  6. To view the server configuration page now that the server is down, click on the resource ID listed in the Server ID column.
  7. Within the Server configuration section, click the Edit button to edit the resource configuration.
  8. Select VPC for the Endpoint type on the Edit configuration page's Endpoint configuration section to change the server access endpoint from public to VPC.
  9. If you already have a VPC endpoint for your SFTP server, select it from the VPC endpoint selection list, or click Create a VPC endpoint and follow the setup wizard's instructions to create a new VPC endpoint.
  10. Once the appropriate VPC endpoint is selected, click Save to apply the changes
  11. Return to the resource configuration page and select Start from the Actions menu to put your server back online. The value of the Endpoint type attribute should now be VPC.
  12. If required, repeat steps no. 4 – 11 to change the endpoint type for other Amazon Transfer for SFTP servers available in the current region as well as for other regions.

 

References: