AWS Security ChangesHomeSearch

AWS transfer documentation change

Service: transfer · 2025-07-04 · Documentation low

File: transfer/latest/userguide/custom-idp-toolkit.md

Summary

Added IPv6 support documentation with security guidance for IP validation

Security assessment

Provides security best practices for handling IPv6 addresses in custom identity providers but doesn't address specific vulnerabilities

Diff

diff --git a/transfer/latest/userguide/custom-idp-toolkit.md b/transfer/latest/userguide/custom-idp-toolkit.md
index 201f0336e..100d65a9d 100644
--- a//transfer/latest/userguide/custom-idp-toolkit.md
+++ b//transfer/latest/userguide/custom-idp-toolkit.md
@@ -5 +5 @@
-Supported identity providers
+IPv6 supportImplementation details for the custom identity toolkitSupported identity providers
@@ -21,0 +22,39 @@ With the AWS Transfer Family custom identity provider solution, you can address
+## IPv6 support for custom identity providers
+
+AWS Transfer Family custom identity providers fully support IPv6 connections. When implementing a custom identity provider, your Lambda function can receive and process authentication requests from both IPv4 and IPv6 clients without any additional configuration. The Lambda function receives the client's IP address in the `sourceIp` field of the request, which can be either an IPv4 address (for example, `203.0.113.42`) or an IPv6 address (for example, `2001:db8:85a3:8d3:1319:8a2e:370:7348`). Your custom identity provider implementation should handle both address formats appropriately.
+
+###### Important
+
+If your custom identity provider performs IP-based validation or logging, ensure your implementation properly handles IPv6 address formats. IPv6 addresses are longer than IPv4 addresses and use a different notation format.
+
+###### Note
+
+When handling IPv6 addresses in your custom identity provider, ensure you're using proper IPv6 address parsing functions rather than simple string comparisons. IPv6 addresses can be represented in various canonical formats (for example `fd00:b600::ec2` or `fd00:b600:0:0:0:0:0:ec2`). Use appropriate IPv6 address libraries or functions in your implementation language to correctly validate and compare IPv6 addresses.
+
+###### Example Handling both IPv4 and IPv6 addresses in a custom identity provider
+    
+    
+    def lambda_handler(event, context):
+        # Extract the source IP address from the request
+        source_ip = event.get('sourceIp', '')
+        
+        # Log the client IP address (works for both IPv4 and IPv6)
+        print(f"Authentication request from: {source_ip}")
+        
+        # Example of IP-based validation that works with both IPv4 and IPv6
+        if is_ip_allowed(source_ip):
+            # Continue with authentication
+            # ...
+        else:
+            # Reject the authentication request
+            return {
+                "Role": "",
+                "HomeDirectory": "",
+                "Status": "DENIED"
+            }
+    
+
+For more information about implementing custom identity providers, see [Using AWS Lambda to integrate your identity provider](./custom-lambda-idp.html).
+
+## Implementation details for the custom identity toolkit
+