AWS transfer documentation change
Summary
Restructured SFTP connector documentation to focus on high-level task overview rather than detailed configuration steps. Removed detailed IAM policy examples, CLI commands, and security policy selection details. Added references to external procedure pages for specific tasks.
Security assessment
The changes primarily reorganize content rather than address security vulnerabilities. While security-related aspects like IAM roles and Secrets Manager integration are mentioned, the removal of specific security policy configuration details and trusted host key validation instructions does not indicate a security fix. The documentation now delegates security implementation details to linked pages rather than containing direct vulnerabilities.
Diff
diff --git a/transfer/latest/userguide/configure-sftp-connector.md b/transfer/latest/userguide/configure-sftp-connector.md index d982590bf..cf56d9c21 100644 --- a//transfer/latest/userguide/configure-sftp-connector.md +++ b//transfer/latest/userguide/configure-sftp-connector.md @@ -5 +5 @@ -Create an SFTP connector +# Creating SFTP connectors @@ -7 +7 @@ Create an SFTP connector -# Configure SFTP connectors +This topic describes how to create SFTP connectors. Each connector provides the ability to connect with one remote SFTP server. You perform the following high-level tasks to configure an SFTP connector. @@ -9 +9 @@ Create an SFTP connector -This topic describes how to create SFTP connectors, the security algorithms associated with them, how to store a secret to hold credentials, details about formatting the private key, and instructions for testing your connectors. + 1. Store the authentication credentials for the connector in AWS Secrets Manager. @@ -11,127 +11 @@ This topic describes how to create SFTP connectors, the security algorithms asso -###### Topics - - * Create an SFTP connector - - * [Store a secret for use with an SFTP connector](./sftp-connector-secret-procedure.html) - - * [Test an SFTP connector](./test-sftp-connector.html) - - - - -## Create an SFTP connector - -This procedure explains how to create SFTP connectors by using the AWS Transfer Family console or AWS CLI. - -Console - - -###### To create an SFTP connector - - 1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/). - - 2. In the left navigation pane, choose **Connectors** , then choose **Create connector**. - - 3. Choose **SFTP** for the connector type to create an SFTP connector, and then choose **Next**. - - - - 4. In the **Connector configuration** section, provide the following information: - - - - * For the **URL** , enter the URL for a remote SFTP server. This URL must be formatted as `sftp://`partner-SFTP-server-url``, for example `sftp://AnyCompany.com`. - -###### Note - -Optionally, you can provide a port number in your URL. The format is `sftp://`partner-SFTP-server-url`:`port-number``. The default port number (when no port is specified) is port 22. - - * For the **Access role** , choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use. - - * **Make sure that this role provides read and write access** to the parent directory of the file location that's used in the `StartFileTransfer` request. - - * **Make sure that this role provides permission** for `secretsmanager:GetSecretValue` to access the secret. - -###### Note - -In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format. - - arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters - - * **Make sure this role contains a trust relationship** that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see [To establish a trust relationship](./requirements-roles.html#establish-trust-transfer). - -The following example grants the necessary permissions to access the `amzn-s3-demo-bucket` in Amazon S3, and the specified secret stored in Secrets Manager. - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowListingOfUserFolder", - "Action": [ - "s3:ListBucket", - "s3:GetBucketLocation" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::amzn-s3-demo-bucket" - ] - }, - { - "Sid": "HomeDirObjectAccess", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetObjectVersion", - "s3:GetObjectACL", - "s3:PutObjectACL" - ], - "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" - }, - { - "Sid": "GetConnectorSecretValue", - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters" - } - ] - } - -###### Note - -For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with `aws/transfer`. - - "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*" - -You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see [Permissions to AWS Secrets Manager secrets for users in a different account](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html). - - * (Optional) For the **Logging role** , choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors. - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "SFTPConnectorPermissions", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:CreateLogGroup", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/transfer/*" - ] - }] - } - - 5. In the **SFTP Configuration** section, provide the following information: - - - - * For **Connector credentials** , from the dropdown list, choose the name of a secret in AWS Secrets Manager that contains the SFTP user's private key or password. You must create a secret and store it in a specific manner. For details, see [Store a secret for use with an SFTP connector](./sftp-connector-secret-procedure.html). - - * (Optional) **Trusted host keys** of the remote server will be required to use your connector for establishing connections with the remote server. You can enter the Trusted host key(s) at the time of creating your connector, or update your connector later by using the host key information returned by the `TestConnection` console action or API command. + 2. Create the connector, specifying the secret ARN, the remote server's URL, the security policy containing the algorithms that will be supported by the connector, and other configuration settings. @@ -139 +13 @@ You can also store secrets containing your SFTP credentials in another AWS accou -For the **Trusted host keys** text box, do either of the following: + 3. After you create the connector, you can test it to ensure that it can establish connections with the remote SFTP server. @@ -141 +14,0 @@ For the **Trusted host keys** text box, do either of the following: - * Paste in the public portion of the host key that is used to identify the external server. You can add more than one key, by choosing **Add trusted host key** to add an additional key. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key. For details about the format and type of trusted host keys that Transfer Family supports, see [SFTPConnectorConfig](https://docs.aws.amazon.com/transfer/latest/APIReference/API_SftpConnectorConfig.html). @@ -143,131 +15,0 @@ For the **Trusted host keys** text box, do either of the following: - * If you do not have the host key information at the time of creating your connector, you can leave this parameter empty for now and proceed with creating your connector. After the connector is created, use the new connector's ID to run the `TestConnection` command, either in the AWS CLI or from the connector's detail page. If successful, `TestConnection` will return the necessary host key information. You can then edit your connector using the console (or by running the `UpdateConnector` AWS CLI command) and add the host key information that was returned when you ran `TestConnection`. - -###### Important - -If you retrieve the remote server's host key by running `TestConnection`, make sure that you perform out-of-band validation on the key that is returned. - -You must accept the new key as trusted, or verify the presented fingerprint with a previously known fingerprint that you have received from the owner of the remote SFTP server you are connecting to. - - * (Optional) For **Maximum concurrent connections** , from the dropdown list, choose the number of concurrent connections that your connector creates to the remote server. The default selection on the console is **5**. - -This setting specifies the number of active connections that your connector can establish with the remote server at the same time. Creating concurrent connections can enhance connector performance by enabling parallel operations. - - 6. In the **Cryptographic algorithm options** section, choose a **Security policy** from the dropdown list in the **Security Policy** field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see [Security policies for AWS Transfer Family SFTP connectors](./security-policies-connectors.html). - - 7. (Optional) In the **Tags** section, for **Key** and **Value** , enter one or more tags as key-value pairs. - - 8. After you have confirmed all of your settings, choose **Create connector** to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a **Test connection** button. Use the button to test the configuration for your new connector. - - - - - - -The **Connectors** page appears, with the ID of your new SFTP connector added to the list. To view the details for your connectors, see [View SFTP connector details](./manage-sftp-connectors.html#sftp-connectors-view-info). - -CLI - - -You use the [create-connector](https://docs.aws.amazon.com/transfer/latest/APIReference/API_CreateConnector.html) command to create a connector. To use this command to create an SFTP connector, you must provide the following information. - - * The URL for a remote SFTP server. This URL must be formatted as `sftp://`partner-SFTP-server-url``, for example `sftp://AnyCompany.com`. - - * The access role. Choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use. - - * **Make sure that this role provides read and write access** to the parent directory of the file location that's used in the `StartFileTransfer` request. - - * **Make sure that this role provides permission** for `secretsmanager:GetSecretValue` to access the secret. - -###### Note - -In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format. - - arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters - - * **Make sure this role contains a trust relationship** that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see [To establish a trust relationship](./requirements-roles.html#establish-trust-transfer). - -The following example grants the necessary permissions to access the `amzn-s3-demo-bucket` in Amazon S3, and the specified secret stored in Secrets Manager. - - { - "Version": "2012-10-17", - "Statement": [ - {