SFTP Gateway Security Notes
Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.
This page covers some security related topics for SFTP Gateway.
Encryption in transit: SSH layer
SFTP Gateway uses the default OpenSSH implementation, which encrypts both SSH and SFTP traffic.
Encryption in transit: Move to S3
Files are copied from the local Linux file system to S3 using HTTPS.
SFTP Gateway uses the AWS CLI to move files. The AWS CLI in turn uses a REST API, which is HTTPS.
Encryption at rest: Local Linux Filesystem
When deploying SFTP Gateway using a Single Instance Template, files are not encrypted at rest by default. However, you can encrypt your EBS volume as a post configuration step.
When deploying SFTP Gateway using a Multi Instance Template, files are encrypted at rest by default. An encrypted EFS volume is mounted over the home directory, where files are stored.
Encryption at rest: S3
In AWS, S3 encryption is configured on a per-object basis.
With SFTP Gateway, you configure S3 encryption on a per-user basis. Each SFTP user has an encryption setting, which defaults to SSE-S3.
You can set an SFTP user's encryption setting to a KMS key. Note: you will need to grant the EC2 instance read permissions to list out the keys, so that they appear in the admin web UI.
Securing the SFTP protocol
SFTP Gateway has a few default customization settings to help further secure the SFTP protocol:
- SFTP users are denied SSH access
- SFTP users are chrooted into a folder nested within their Linux home directory, to prevent directory traversal
- SFTP users are configured with key based authentication by default. This is to address issues inherent with passwords (complexity requirements, and that fact that they are sent over the wire)
- SFTP users have their default shell removed, another measure to prevent SSH access
Securing EC2 Security Group ports
Ports should be restricted to least privilege. As a start, ports 22, 80, and 443 ingress should be granted to the system administrator. Only port 22 should be open to a whitelist of public IP addresses used by SFTP users.
To improve security, you can move the SSH protocol to an alternate port (e.g. 2222), and open port 22 (SFTP) to customers.
SFTP audit logs are recorded in the log file
Since SFTP Gateway is deployed as a Marketplace image, you alone have access, and are responsible for patching the operating system.