AWS transfer documentation change
Summary
Added new 'VPC connectivity security benefits' section with security controls, VPC Lattice security model details, and security best practices for SFTP connectors
Security assessment
Documents security features like network isolation, source IP control, private endpoints, and security controls for VPC connectivity. Provides security best practices but does not address a specific vulnerability.
Diff
diff --git a/transfer/latest/userguide/security.md b/transfer/latest/userguide/security.md index 20a6fa5a7..31f4338d9 100644 --- a//transfer/latest/userguide/security.md +++ b//transfer/latest/userguide/security.md @@ -4,0 +5,2 @@ +VPC connectivity security benefits + @@ -41,0 +44,2 @@ We offer a workshop that provides prescriptive guidance and a hands on lab on ho + * VPC connectivity security benefits + @@ -70,0 +75,49 @@ We offer a workshop that provides prescriptive guidance and a hands on lab on ho +## VPC connectivity security benefits + +SFTP connectors with VPC egress type provide enhanced security benefits through Cross-VPC Resource Access: + + * **Network isolation** : All traffic remains within your VPC environment, providing complete network isolation from the public internet for private endpoint connections. + + * **Source IP control** : Remote SFTP servers only see IP addresses from your VPC CIDR range, giving you full control over the source IP addresses used for connections. + + * **Private endpoint access** : Connect directly to SFTP servers in your VPC using private IP addresses, eliminating exposure to the public internet. + + * **Hybrid connectivity** : Securely access on-premises SFTP servers through established VPN or Direct Connect connections without additional internet exposure. + + * **VPC security controls** : Leverage existing VPC security groups, NACLs, and routing policies to control and monitor SFTP connector traffic. + + + + +### VPC Lattice security model + +VPC connectivity for SFTP connectors uses AWS VPC Lattice with service networks to provide secure multi-tenant access: + + * **Confused deputy prevention** : Authentication and authorization checks ensure that connectors can only access the specific resources they are configured for, preventing unauthorized cross-tenant access. + + * **IPv6-only service network** : Uses IPv6 addressing to avoid potential IP address conflicts and enhance security isolation. + + * **Forward Access Session (FAS)** : Temporary credential handling eliminates the need for long-term credential storage or manual resource sharing. + + * **Resource-level access control** : Each connector is associated with a specific Resource Configuration, ensuring granular access control to individual SFTP servers. + + + + +### Security best practices for VPC connectivity + +When using VPC egress type connectors, follow these security best practices: + + * **Security groups** : Configure security groups to allow SFTP traffic (port 22) only between necessary resources. Restrict source and destination IP ranges to the minimum required. + + * **Resource Gateway placement** : Deploy Resource Gateways in private subnets when possible, and ensure they span at least two Availability Zones for high availability. + + * **Network monitoring** : Use VPC Flow Logs and Amazon CloudWatch to monitor network traffic patterns and detect anomalous activity. + + * **Access logging** : Enable connector logging to track file transfer activities and maintain audit trails for compliance requirements. + + * **Resource Configuration management** : Regularly review and update Resource Configurations to ensure they point to the correct SFTP servers and use appropriate network settings. + + + +