Infrastructure security in Amazon Transfer Family - Amazon Transfer Family
NLB considerations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Infrastructure security in Amazon Transfer Family

As a managed service, Amazon Transfer Family is protected by Amazon global network security. For information about Amazon security services and how Amazon protects infrastructure, see Amazon Cloud Security. To design your Amazon environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar Amazon Well‐Architected Framework.

You use Amazon published API calls to access Amazon Transfer Family through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the Amazon Security Token Service (Amazon STS) to generate temporary security credentials to sign requests.

Avoid placing NLBs in front of Amazon Transfer Family servers

We've spoken with many customers who have configured a Network Load Balancer (NLB) to route traffic to their Amazon Transfer Family server. Usually, they've done this either because they created their server before we offered a way to access it from both inside their VPC and from the internet, or to support FTP on the internet. This not only increases the cost for the customer, it can cause other issues, which we describe in this section.

If you're using this configuration, we encourage you to move to a VPC endpoint and use an Elastic IP. Placing an NLB in front of your Amazon Transfer Family server removes your ability to see the source IP of your users, because Amazon Transfer Family will see only the IP address of your NLB. This not only degrades your ability to audit who is accessing your server, it can also impact performance. Amazon Transfer Family uses the source IP to shard your connections across our data plane. In the case of FTPS, this means that instead of being able to have 10,000 simultaneous connections, a Amazon Transfer Family server with an NLB in front of it would be limited to only 300 simultaneous connections.

If you have a use case that requires you to place an NLB in front of your Amazon Transfer Family server, reach out to the Amazon Transfer Family Product Management team through Amazon Support, so we can look for options to help you take full advantage of our service.