AWS transfer medium security documentation change
Summary
Added sections for Enhanced HomeDirectory support with LOGICAL type validation, Active Directory group quotas (100 groups/server limit), and updated logical directory documentation
Security assessment
The change introduces validation for HomeDirectory configurations in LOGICAL mode to prevent invalid setups, which could lead to unauthorized access if misconfigured. The Active Directory group quota documentation helps prevent service disruptions that could indirectly impact security monitoring capabilities. However, there's no explicit mention of a vulnerability being patched.
Diff
diff --git a/transfer/latest/userguide/create-user.md b/transfer/latest/userguide/create-user.md index eef06a057..ab82aa664 100644 --- a//transfer/latest/userguide/create-user.md +++ b//transfer/latest/userguide/create-user.md @@ -4,0 +5,2 @@ +Amazon EFS vs. Amazon S3Logical directoriesEnhanced HomeDirectory for logical directoriesActive Directory group quotas + @@ -9 +11 @@ In the following sections, you can find information about how to add users using -As part of each user's properties, you also store that user's Secure Shell (SSH) public key. Doing so is required for key based authentication. The private key is stored locally on your user's computer. When your user sends an authentication request to your server by using a client, your server first confirms that the user has access to the associated SSH private key. The server then successfully authenticates the user. +As part of each user's properties, you also store that user's Secure Shell (SSH) public key. Doing so is required for key-based authentication. The private key is stored locally on your user's computer. When your user sends an authentication request to your server by using a client, your server first confirms that the user has access to the associated SSH private key. The server then successfully authenticates the user. @@ -19 +21 @@ The reason behind this is due to the large volume of malicious login attempts by -###### Amazon EFS vs. Amazon S3 +## Amazon EFS vs. Amazon S3 @@ -38 +40 @@ For Amazon S3, most of the support for logical directories is via API/CLI. You c -###### Logical directories +## Logical directories @@ -48,0 +51,50 @@ If you are specifying logical directory values for your user, the parameter you +## Enhanced HomeDirectory support for logical directories + +AWS Transfer Family now supports specifying a HomeDirectory value when using the LOGICAL HomeDirectoryType. This enhancement applies to Service Managed users, Active Directory access, and Custom Identity Provider implementations where the HomeDirectoryDetails are provided in the response. + +###### Important + +When specifying a HomeDirectory with LOGICAL HomeDirectoryType, the value must map to one of your logical directory mappings. The service validates this during both user creation and updates to prevent configurations that would not work. + +### Default behavior + +By default, if left unspecified, the HomeDirectory is set to "/" for LOGICAL mode. This behavior is unchanged and remains compatible with existing user definitions. + + * Make sure to map your HomeDirectory to an _Entry_ and not a _Target_. For more details, see [Rules for using logical directories](./logical-dir-mappings.html#logical-dir-rules). + + * For details on how a virtual directory is structured see [Virtual directory structure](./logical-dir-mappings.html#virtual-dirs). + + + + +### Custom Identity Provider considerations + +When using a Custom Identity Provider, you can now specify a HomeDirectory in the response while using LOGICAL HomeDirectoryType. The TestIdentityProvider API call will produce correct results when the Custom IDP specifies a HomeDirectory in LOGICAL mode. + +Example Custom IDP response with HomeDirectory and LOGICAL HomeDirectoryType: + + + { + "Role": "arn:aws:iam::123456789012:role/transfer-user-role", + "HomeDirectoryType": "LOGICAL", + "HomeDirectory": "/marketing", + "HomeDirectoryDetails": "[{\"Entry\":\"/\",\"Target\":\"/bucket/home\"},{\"Entry\":\"/marketing\",\"Target\":\"/marketing-bucket/campaigns\"}]" + } + +## Active Directory group quotas + +AWS Transfer Family has a default limit of 100 Active Directory groups per server. If your use case requires more than 100 groups, consider using a custom identity provider solution as described in [Simplify Active Directory authentication with a custom identity provider for AWS Transfer Family](https://aws.amazon.com/blogs/storage/simplify-active-directory-authentication-with-a-custom-identity-provider-for-aws-transfer-family/). + +This limit applies to servers using the following identity providers: + + * AWS Directory Service for Microsoft Active Directory + + * AWS Directory Service for Entra ID Domain Services + + + + +If you need to request a service limit increase, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) in the _AWS General Reference_. If your use case requires more than 100 groups, consider using a custom identity provider solution as described in [Simplify Active Directory authentication with a custom identity provider for AWS Transfer Family](https://aws.amazon.com/blogs/storage/simplify-active-directory-authentication-with-a-custom-identity-provider-for-aws-transfer-family/). + +For troubleshooting information related to Active Directory group limits, see [Active Directory group limits exceeded](./auth-issues.html#managed-ad-group-limits). +