Security in Amazon Transfer Family - Amazon Transfer Family
VPC connectivity security benefits
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security in Amazon Transfer Family

Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between Amazon and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

To learn whether an Amazon Web Services service is within the scope of specific compliance programs, see Amazon Web Services services in Scope by Compliance Program and choose the compliance program that you are interested in. For general information, see Amazon Web Services Compliance Programs.

You can download third-party audit reports using Amazon Artifact. For more information, see Downloading Reports in Amazon Artifact.

Your compliance responsibility when using Amazon Web Services services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using Amazon Web Services services, see Amazon Security Documentation.

This documentation helps you understand how to apply the shared responsibility model when using Amazon Transfer Family. The following topics show you how to configure Amazon Transfer Family to meet your security and compliance objectives. You also learn how to use other Amazon services that help you to monitor and secure your Amazon Transfer Family resources.

We offer a workshop that provides prescriptive guidance and a hands on lab on how you can build a scalable and secure file transfer architecture on Amazon without needing to modify existing applications or manage server infrastructure. You can view the details for this workshop here.

Topics

VPC connectivity security benefits

SFTP connectors with VPC egress type provide enhanced security benefits through Cross-VPC Resource Access:

  • Network isolation: All traffic remains within your VPC environment, providing complete network isolation from the public internet for private endpoint connections.

  • Source IP control: Remote SFTP servers only see IP addresses from your VPC CIDR range, giving you full control over the source IP addresses used for connections.

  • Private endpoint access: Connect directly to SFTP servers in your VPC using private IP addresses, eliminating exposure to the public internet.

  • Hybrid connectivity: Securely access on-premises SFTP servers through established VPN or Direct Connect connections without additional internet exposure.

  • VPC security controls: Leverage existing VPC security groups, NACLs, and routing policies to control and monitor SFTP connector traffic.

VPC Lattice security model

VPC connectivity for SFTP connectors uses Amazon VPC Lattice with service networks to provide secure multi-tenant access:

  • Confused deputy prevention: Authentication and authorization checks ensure that connectors can only access the specific resources they are configured for, preventing unauthorized cross-tenant access.

  • IPv6-only service network: Uses IPv6 addressing to avoid potential IP address conflicts and enhance security isolation.

  • Forward Access Session (FAS): Temporary credential handling eliminates the need for long-term credential storage or manual resource sharing.

  • Resource-level access control: Each connector is associated with a specific Resource Configuration, ensuring granular access control to individual SFTP servers.

Security best practices for VPC connectivity

When using VPC egress type connectors, follow these security best practices:

  • Security groups: Configure security groups to allow SFTP traffic (port 22) only between necessary resources. Restrict source and destination IP ranges to the minimum required.

  • Resource Gateway placement: Deploy Resource Gateways in private subnets when possible, and ensure they span at least two Availability Zones for high availability.

  • Network monitoring: Use VPC Flow Logs and Amazon CloudWatch to monitor network traffic patterns and detect anomalous activity.

  • Access logging: Enable connector logging to track file transfer activities and maintain audit trails for compliance requirements.

  • Resource Configuration management: Regularly review and update Resource Configurations to ensure they point to the correct SFTP servers and use appropriate network settings.