Technical and Product News and Insights from Rackspace
Originally published in Feb 2018, at Onica.com/blog
AWS® Transfer® for SFTP is a managed AWS service. It allows for the transfer of files and other data over a connection by using the Secure Shell (SSH) protocol into and out of Amazon S3® buckets.
As opposed to FTP, traffic to the SFTP remains encrypted because it uses asymmetric cryptology with SSH public key to encrypt the data at transit. Many organizations benefit from this protocol to upload and download files to servers by using SFTP to follow security policies and compliance requirements.
The service default configuration enables the use of Amazon Linux AMIs, which is a great standard set by AWS to reduce implementation overhead. Nevertheless, many use-cases where the SFTP server needs to be accessible from the internet could potentially leave your instance exposed to attack vectors such as malicious bots or brute-force attempts to obtain access to the instance shell.
Having an externally facing tunnel used for both SSH and SFTP might create a breach in compliance. This happens
because if you allow traffic to port 22 from the internet
0.0.0.0/0 on the instance
Security Group and do not
create any additional layers to filter this traffic, the instance becomes vulnerable and creates a breach in
With our CloudFormation template, you can address this issue through Infrastructure-as-Code and launch a publicly accessible SFTP while keeping the shell tunnel private for specified IPs.
For Amazon® Linux® version 1 or 2 distribution, our CloudFormation template does the following:
sshdPID, sshd-second, and configurations.
Note: We recommend that you add new users to the DenyUsers in /etc/ssh/sshd_config-second and restrict shell access on the SFTP port.
4777as SFTP port.
Use the Feedback tab to make any comments or ask questions. You can also click Sales Chat to chat now and start the conversation.