AWS Security ChangesHomeSearch

AWS transfer high security documentation change

Service: transfer · 2025-10-16 · Security-related high

File: transfer/latest/userguide/infrastructure-security.md

Summary

Added VPC connectivity security section detailing network isolation and security controls

Security assessment

Documents security-specific features including private network traffic control, VPC security group configurations, and secure ingress points. Directly explains security controls for infrastructure protection.

Diff

diff --git a/transfer/latest/userguide/infrastructure-security.md b/transfer/latest/userguide/infrastructure-security.md
index 8553018d1..adf7add45 100644
--- a//transfer/latest/userguide/infrastructure-security.md
+++ b//transfer/latest/userguide/infrastructure-security.md
@@ -5 +5 @@
-NLB and NAT considerations
+NLB and NAT considerationsVPC connectivity infrastructure security
@@ -60,0 +61,32 @@ For additional guidance on NLB alternatives, contact the AWS Transfer Family Pro
+## VPC connectivity infrastructure security
+
+SFTP connectors with VPC egress type provide enhanced infrastructure security through network isolation and private connectivity:
+
+### Network isolation benefits
+
+  * **Private network traffic** : All connector traffic to private SFTP servers remains within your VPC, never traversing the public internet.
+
+  * **Controlled egress** : For public endpoints accessed via VPC, traffic routes through your NAT gateways, giving you control over egress IP addresses and network policies.
+
+  * **VPC security controls** : Leverage existing VPC security groups, network ACLs, and route tables to control connector network access.
+
+  * **Hybrid connectivity** : Access on-premises SFTP servers through established VPN or Direct Connect connections without additional internet exposure.
+
+
+
+
+### Resource Gateway security considerations
+
+Resource Gateways provide secure ingress points for Cross-VPC Resource Access:
+
+  * **Multi-AZ deployment** : Resource Gateways require subnets in at least two Availability Zones for high availability and fault tolerance.
+
+  * **Security group controls** : Configure security groups to restrict access to SFTP ports (typically port 22) from authorized sources only.
+
+  * **Private subnet placement** : Deploy Resource Gateways in private subnets when connecting to private SFTP servers to maintain network isolation.
+
+  * **Connection limits** : Each Resource Gateway supports up to 350 concurrent connections with a 350-second idle timeout for TCP connections.
+
+
+
+