AWS transfer documentation change
Summary
Removed section detailing IPv6 support implementation for custom identity providers
Security assessment
The removal deletes guidance on handling IPv6 addresses in custom identity providers, but there is no evidence this relates to a security vulnerability. The information may have been relocated elsewhere.
Diff
diff --git a/transfer/latest/userguide/custom-idp-toolkit.md b/transfer/latest/userguide/custom-idp-toolkit.md index 100d65a9d..b72852659 100644 --- a//transfer/latest/userguide/custom-idp-toolkit.md +++ b//transfer/latest/userguide/custom-idp-toolkit.md @@ -5 +5 @@ -IPv6 supportImplementation details for the custom identity toolkitSupported identity providers +Implementation details for the custom identity toolkitSupported identity providers @@ -22,37 +21,0 @@ With the AWS Transfer Family custom identity provider solution, you can address -## IPv6 support for custom identity providers - -AWS Transfer Family custom identity providers fully support IPv6 connections. When implementing a custom identity provider, your Lambda function can receive and process authentication requests from both IPv4 and IPv6 clients without any additional configuration. The Lambda function receives the client's IP address in the `sourceIp` field of the request, which can be either an IPv4 address (for example, `203.0.113.42`) or an IPv6 address (for example, `2001:db8:85a3:8d3:1319:8a2e:370:7348`). Your custom identity provider implementation should handle both address formats appropriately. - -###### Important - -If your custom identity provider performs IP-based validation or logging, ensure your implementation properly handles IPv6 address formats. IPv6 addresses are longer than IPv4 addresses and use a different notation format. - -###### Note - -When handling IPv6 addresses in your custom identity provider, ensure you're using proper IPv6 address parsing functions rather than simple string comparisons. IPv6 addresses can be represented in various canonical formats (for example `fd00:b600::ec2` or `fd00:b600:0:0:0:0:0:ec2`). Use appropriate IPv6 address libraries or functions in your implementation language to correctly validate and compare IPv6 addresses. - -###### Example Handling both IPv4 and IPv6 addresses in a custom identity provider - - - def lambda_handler(event, context): - # Extract the source IP address from the request - source_ip = event.get('sourceIp', '') - - # Log the client IP address (works for both IPv4 and IPv6) - print(f"Authentication request from: {source_ip}") - - # Example of IP-based validation that works with both IPv4 and IPv6 - if is_ip_allowed(source_ip): - # Continue with authentication - # ... - else: - # Reject the authentication request - return { - "Role": "", - "HomeDirectory": "", - "Status": "DENIED" - } - - -For more information about implementing custom identity providers, see [Using AWS Lambda to integrate your identity provider](./custom-lambda-idp.html). -