Search for Recent Authentication Failure in SFTP

Overview

Monitoring authentication failures in SFTP can help identify security risks, misconfigurations, and unauthorized access attempts. This guide explains how to search for authentication failures using AWS CloudWatch.

AWS CloudWatch Logs

Steps to Search for Authentication Failures

Access CloudWatch Logs:

Navigate to AWS Management Console.
Open CloudWatch > Logs > Log Groups.

Find the Correct Log Group:

Locate the log group associated with AWS Transfer Family (SFTP service).

Run the Query:

fields @message
| filter @message like "Authentication failed"

Filter by User (Optional):

fields @message
| filter @message like "Authentication failed" and @message like "username_here"

Replace username_here with the actual username.

SFTP Gateway Support

3.0

Search for Recent Authentication Failure in SFTP

Overview

AWS CloudWatch Logs