AWS transfer medium security documentation change
Summary
Updated documentation to clarify SFTP connector creation with service-managed egress, added VPC-based egress configuration details, and corrected policy examples with specific ARN formats
Security assessment
The changes emphasize security configuration requirements including: 1) Mandatory TrustedHostKeys parameter for secure server verification (prevents MITM attacks) 2) Explicit security policy selection for cryptographic algorithms 3) Documentation of VPC-based egress as a more secure network isolation option 4) Corrected secret ARN examples prevent misconfiguration risks
Diff
diff --git a/transfer/latest/userguide/create-sftp-connector-procedure.md b/transfer/latest/userguide/create-sftp-connector-procedure.md index 241e3aa23..1ef087840 100644 --- a//transfer/latest/userguide/create-sftp-connector-procedure.md +++ b//transfer/latest/userguide/create-sftp-connector-procedure.md @@ -5 +5 @@ -# Create an SFTP connector +# Create an SFTP connector with service-managed egress @@ -18 +18,3 @@ Console - 3. In the **Connector configuration** section, provide the following information: + 3. In the **Connector configuration** section, for **Egress type** , choose **Service managed**. This option uses AWS Transfer Family managed egress infrastructure. The Transfer Family service provides and manages static IP addresses for each SFTP connector. + + 4. In the **Connector configuration** section, provide the following information: @@ -42 +44,2 @@ In the policy, you must specify the ARN for the secret. The ARN contains the sec -The following example grants the necessary permissions to access the `amzn-s3-demo-bucket` in Amazon S3, and the specified secret stored in Secrets Manager. +**** + @@ -78 +81 @@ The following example grants the necessary permissions to access the `amzn-s3-de - "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters" + "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:aws/transfer/SecretName-6RandomCharacters" @@ -90,0 +95,2 @@ You can also store secrets containing your SFTP credentials in another AWS accou + 5. Complete the connector configuration: + @@ -92,0 +99,3 @@ You can also store secrets containing your SFTP credentials in another AWS accou +**** + + @@ -95,2 +104,3 @@ You can also store secrets containing your SFTP credentials in another AWS accou - "Statement": [{ - "Sid": "SFTPConnectorPermissions", + "Statement": [ + { + "Sid": "VisualEditor0", @@ -104,2 +114,2 @@ You can also store secrets containing your SFTP credentials in another AWS accou - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/transfer/*" + "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*" + } @@ -107 +116,0 @@ You can also store secrets containing your SFTP credentials in another AWS accou - }] @@ -110 +119,2 @@ You can also store secrets containing your SFTP credentials in another AWS accou - 4. In the **SFTP Configuration** section, provide the following information: + + 6. In the **SFTP Configuration** section, provide the following information: @@ -116 +126 @@ You can also store secrets containing your SFTP credentials in another AWS accou - * (Optional) ) You have an option to create your connector while leaving the `TrustedHostKeys` parameter empty. However, your connector will not be able to transfer files with the remote server until you provide this parameter in your connector’s configuration. You can enter the Trusted host key(s) at the time of creating your connector, or update your connector later by using the host key information returned by the `TestConnection` console action or API command. That is, for the **Trusted host keys** text box, you can do either of the following: + * (Optional) You have an option to create your connector while leaving the `TrustedHostKeys` parameter empty. However, your connector will not be able to transfer files with the remote server until you provide this parameter in your connector’s configuration. You can enter the Trusted host key(s) at the time of creating your connector, or update your connector later by using the host key information returned by the `TestConnection` console action or API command. That is, for the **Trusted host keys** text box, you can do either of the following: @@ -132 +142 @@ This setting specifies the number of active connections that your connector can - 5. In the **Cryptographic algorithm options** section, choose a **Security policy** from the dropdown list in the **Security Policy** field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see [Security policies for AWS Transfer Family SFTP connectors](./security-policies-connectors.html). + 7. In the **Cryptographic algorithm options** section, choose a **Security policy** from the dropdown list in the **Security Policy** field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see [Security policies for AWS Transfer Family SFTP connectors](./security-policies-connectors.html). @@ -134 +144 @@ This setting specifies the number of active connections that your connector can - 6. (Optional) In the **Tags** section, for **Key** and **Value** , enter one or more tags as key-value pairs. + 8. (Optional) In the **Tags** section, for **Key** and **Value** , enter one or more tags as key-value pairs. @@ -136 +146 @@ This setting specifies the number of active connections that your connector can - 7. After you have confirmed all of your settings, choose **Create SFTP connector** to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a **Test connection** button. Use the button to test the configuration for your new connector. + 9. After you have confirmed all of your settings, choose **Create SFTP connector** to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a **Test connection** button. Use the button to test the configuration for your new connector. @@ -166 +176,2 @@ In the policy, you must specify the ARN for the secret. The ARN contains the sec -The following example grants the necessary permissions to access the `amzn-s3-demo-bucket` in Amazon S3, and the specified secret stored in Secrets Manager. +**** + @@ -202 +213 @@ The following example grants the necessary permissions to access the `amzn-s3-de - "Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters" + "Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:aws/transfer/SecretName-6RandomCharacters" @@ -216,0 +229,3 @@ You can also store secrets containing your SFTP credentials in another AWS accou +**** + + @@ -219,2 +234,3 @@ You can also store secrets containing your SFTP credentials in another AWS accou - "Statement": [{ - "Sid": "SFTPConnectorPermissions", + "Statement": [ + { + "Sid": "VisualEditor0", @@ -228,2 +244,2 @@ You can also store secrets containing your SFTP credentials in another AWS accou - "Resource": [ - "arn:aws:logs:*:*:log-group:/aws/transfer/*" + "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*" + } @@ -231 +246,0 @@ You can also store secrets containing your SFTP credentials in another AWS accou - }] @@ -259 +275 @@ The `SecretId` can be either the entire ARN or the name of the secret (`example- -Then run the following command to create the connector. +Then run the following command to create the connector: @@ -265,2 +281,2 @@ Then run the following command to create the connector. - --sftp-config file:///path/to/testSFTPConfig.json - --security-policy-name security-policy-name + --sftp-config file:///path/to/testSFTPConfig.json \ + --security-policy-name security-policy-name \ @@ -268,0 +285,27 @@ Then run the following command to create the connector. +When you describe a VPC egress type connector, the response includes the new fields: + + + { + "Connector": { + "AccessRole": "arn:aws:iam::123456789012:role/connector-role", + "Arn": "arn:aws:transfer:us-east-1:123456789012:connector/c-1234567890abcdef0", + "ConnectorId": "c-1234567890abcdef0", + "Status": "ACTIVE", + "EgressConfig": { + "VpcLattice": { + "ResourceConfigurationArn": "arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-12345678", + "PortNumber": 22 + } + }, + "EgressType": "VPC", + "ServiceManagedEgressIpAddresses": null, + "SftpConfig": { + "TrustedHostKeys": [ "ssh-rsa AAAAB3NzaC..." ], + "UserSecretId": "aws/transfer/connector-secret" + }, + "Url": "sftp://my.sftp.server.com:22" + } + } + +Note that `ServiceManagedEgressIpAddresses` is null for VPC egress type connectors since traffic routes through your VPC instead of AWS managed infrastructure. + @@ -277 +320 @@ Store credentials in Secrets Manager -Test an SFTP connector +Create an SFTP connector with VPC-based egress