AWS Transfer for SFTP Server Key
Service Name: AWS Transfer Family
Service Description: AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services using SFTP, FTPS, and FTP protocols. It provides a fully managed, highly available file transfer service that scales to meet your needs.
Service Address: https://aws.amazon.com/aws-transfer-family/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the server level using security groups and network access controls.
Secret Access Scope: Grants access to transfer files to and from AWS storage services (primarily S3 and EFS) using SFTP protocol.
Secret Revokement URL: https://docs.aws.amazon.com/transfer/latest/userguide/key-management.html#delete-key
Secret Example: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxyz1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEF aws-transfer-user
Suspicious Activity Investigation Instructions:
- Review CloudTrail logs for unusual Transfer Family API calls or configuration changes
- Check S3 or EFS access logs for unusual file transfers or access patterns
- Monitor for unexpected increases in data transfer volumes or costs
- Verify IP addresses accessing the SFTP server against expected sources
- Check for unauthorized user creation or SSH key modifications
Mitigation Instructions:
- Immediately delete the compromised SSH key from the AWS Transfer Family service
- Navigate to the AWS Transfer Family console and select the server
- Select the affected user and remove the compromised SSH key
- Generate and add a new SSH key for legitimate users
- Update IP allowlists to restrict access to known IP addresses
- Enable CloudWatch alarms for unusual transfer activity
- Consider implementing multi-factor authentication if available
- Review and update IAM policies to enforce the Principle of Least Privilege.