Skip to content

AWS Transfer for SFTP Server Key

Service Name: AWS Transfer Family

Service Description: AWS Transfer Family is a secure transfer service that enables you to transfer files into and out of AWS storage services using SFTP, FTPS, and FTP protocols. It provides a fully managed, highly available file transfer service that scales to meet your needs.

Service Address: https://aws.amazon.com/aws-transfer-family/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the server level using security groups and network access controls.

Secret Access Scope: Grants access to transfer files to and from AWS storage services (primarily S3 and EFS) using SFTP protocol.

Secret Revokement URL: https://docs.aws.amazon.com/transfer/latest/userguide/key-management.html#delete-key

Secret Example: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxyz1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/0123456789abcdefghijklmnopqrstuvwxyzABCDEF aws-transfer-user

Suspicious Activity Investigation Instructions:

  • Review CloudTrail logs for unusual Transfer Family API calls or configuration changes
  • Check S3 or EFS access logs for unusual file transfers or access patterns
  • Monitor for unexpected increases in data transfer volumes or costs
  • Verify IP addresses accessing the SFTP server against expected sources
  • Check for unauthorized user creation or SSH key modifications

Mitigation Instructions:

  • Immediately delete the compromised SSH key from the AWS Transfer Family service
  • Navigate to the AWS Transfer Family console and select the server
  • Select the affected user and remove the compromised SSH key
  • Generate and add a new SSH key for legitimate users
  • Update IP allowlists to restrict access to known IP addresses
  • Enable CloudWatch alarms for unusual transfer activity
  • Consider implementing multi-factor authentication if available
  • Review and update IAM policies to enforce the Principle of Least Privilege.