Contact Us

How to Comply SFTP Servers Using Infrastructure as Code

[rt_reading_time label=”Read Time:” postfix=”minutes” postfix_singular=”minute”]

AWS How-To Guide

What is AWS SFTP?

AWS Transfer for SFTP (AWS SFTP) is a managed AWS service. SFTP (Secure File Transfer Protocol) allows for the transfer of files and other data over a connection using the Secure Shell (SSH) protocol into and out of Amazon S3 buckets. As opposed to FTP, traffic to the SFTP remains encrypted, since it uses asymmetric cryptology with SSH public key to encrypt the data at transit. Many organizations benefit from this protocol to upload/download files to servers using SFTP to follow security policies and required compliances.

By default, the service is configured and enabled on Amazon Linux AMIs. This is a great standard set by AWS to reduce implementation overhead. Nevertheless, there are many use-cases where the SFTP server needs to be accessible from the internet, which could potentially leave your instance exposed to attack vectors such as malicious bots or brute force attempts to obtain access to the instance shell.

CloudFormation Template – Comply AWS SFTP Servers Using Infrastructure as Code

The following diagram shows a high-level example of an externally facing tunnel used for both SSH and SFTP

If you allow traffic to port 22 from the internet (0.0.0.0/0) on the instance ‘Security Group’, and do not create any additional layers to filter this traffic, the instance becomes vulnerable and creates a breach in compliance.

Here is the good news! With our CloudFormation template, you’ll be able to address this issue through Infrastructure as Code and launch a publicly accessible SFTP while keeping the shell tunnel private for specified IPs.

For Amazon Linux version 1 or 2 distribution our CloudFormation template will do the following:

  • Allow you to choose the designated SFTP port (1-65535) – Not 22.
  • Allow you to provide the IP CIDR source for strict shell access (must be in the following format x.x.x.x/x
  • Provision an Elastic IP that auto attaches it to the instance.
  • Create an additional sshd PID (sshd-second) and configurations.
  • Disable SFTP in the original sshd_config.
  • Disable Shell access in sshd_config-second for ec2-user

*It is recommended to add new users to the DenyUsers in /etc/ssh/sshd_config-second and restrict shell access on the SFTP port.

Quick Start Instructions:

  1. Upon uploading the template to CFN you will see the following screen:
  2. Choose to desired value for the parameters above (note: 4777 chosen as SFTP port).
    Click Next twice and then Create. Once completed, resources should be visible.
  3. Use your preferred SFTP client and connect!

Hidden layer

Share on linkedin
Share on twitter
Share on facebook
Share on email

Onica Insights

Stay up to date with the latest perspectives, tips, and news directly to your inbox.
Subscribe

Explore More Cloud Insights from Onica

Blogs

The latest perspectives on navigating an ever-changing cloud landscape
Explore

Case Studies

Explore how our customers are driving cloud innovation in their industries
Explore

Videos

Watch an on-demand library of cloud tutorials, tips and tricks
Explore

Publications

Learn how to succeed in the cloud with deep-dives into pressing cloud topics
Explore

APN Premier Consulting Partner

Expansive Skillset  |  500+ AWS Certifications

We're hiring! Explore Career Opportunities

Connect with Onica

Linkedin Twitter Facebook-f Instagram Youtube
Stay informed in a changing cloud landscape
Subscribe to Insights

Ready to plan your next cloud project?

Contact Us

Copyright © 2022 Onica. All rights reserved | Privacy.

by ADA for Web.