AWS transfer high security documentation change
Summary
Added VPC connectivity security section detailing network isolation and security controls
Security assessment
Documents security-specific features including private network traffic control, VPC security group configurations, and secure ingress points. Directly explains security controls for infrastructure protection.
Diff
diff --git a/transfer/latest/userguide/infrastructure-security.md b/transfer/latest/userguide/infrastructure-security.md index 8553018d1..adf7add45 100644 --- a//transfer/latest/userguide/infrastructure-security.md +++ b//transfer/latest/userguide/infrastructure-security.md @@ -5 +5 @@ -NLB and NAT considerations +NLB and NAT considerationsVPC connectivity infrastructure security @@ -60,0 +61,32 @@ For additional guidance on NLB alternatives, contact the AWS Transfer Family Pro +## VPC connectivity infrastructure security + +SFTP connectors with VPC egress type provide enhanced infrastructure security through network isolation and private connectivity: + +### Network isolation benefits + + * **Private network traffic** : All connector traffic to private SFTP servers remains within your VPC, never traversing the public internet. + + * **Controlled egress** : For public endpoints accessed via VPC, traffic routes through your NAT gateways, giving you control over egress IP addresses and network policies. + + * **VPC security controls** : Leverage existing VPC security groups, network ACLs, and route tables to control connector network access. + + * **Hybrid connectivity** : Access on-premises SFTP servers through established VPN or Direct Connect connections without additional internet exposure. + + + + +### Resource Gateway security considerations + +Resource Gateways provide secure ingress points for Cross-VPC Resource Access: + + * **Multi-AZ deployment** : Resource Gateways require subnets in at least two Availability Zones for high availability and fault tolerance. + + * **Security group controls** : Configure security groups to restrict access to SFTP ports (typically port 22) from authorized sources only. + + * **Private subnet placement** : Deploy Resource Gateways in private subnets when connecting to private SFTP servers to maintain network isolation. + + * **Connection limits** : Each Resource Gateway supports up to 350 concurrent connections with a 350-second idle timeout for TCP connections. + + + +