Profile Applicability:
- Level 2
Description:
AWS Transfer Family provides fully managed services for transferring files over SFTP, FTPS, and FTP. Enabling encryption in transit ensures that data transferred between clients and the server is securely encrypted, preventing unauthorized access to sensitive data during the transfer process. This is crucial for protecting the confidentiality and integrity of data in transit, especially when transferring sensitive information.
Rationale:
Enabling encryption in transit for AWS Transfer Family servers ensures that the data is encrypted during transmission, protecting it from interception, man-in-the-middle attacks, or tampering. This is particularly important for complying with data protection regulations such as GDPR, HIPAA, and SOC 2, which require secure transmission of sensitive data.
Impact:
Pros:
Ensures the confidentiality and integrity of data in transit.
Reduces the risk of unauthorized access or tampering during file transfers.
Helps meet compliance requirements for secure data transfer (e.g., GDPR, HIPAA).
Improves overall security posture by preventing exposure of sensitive data during transit.
Cons:
Requires configuration of encryption settings on both the client and server side.
May introduce minor performance overhead due to encryption and decryption processes during data transfer.
Default Value:
By default, AWS Transfer Family servers support encryption in transit. However, it must be explicitly configured to ensure that the appropriate encryption protocols (SFTP, FTPS, or FTP over TLS) are used for all data transfers.
Pre-requisites:
AWS IAM permissions:
transfer:DescribeServer
transfer:UpdateServerKnowledge of the encryption protocols (SFTP, FTPS, or FTP over TLS) to be used for the server.
Properly configured SSL/TLS certificates (if using FTPS or FTP over TLS).
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Transfer Family and select the Servers section.
Choose the Transfer Family server you want to check.
Under the Encryption section, verify if Encryption in Transit is enabled (SFTP, FTPS, or FTP over TLS).
If encryption in transit is not enabled, update the server configuration to enable it:
For SFTP, encryption in transit is enabled by default.
For FTPS or FTP over TLS, ensure that TLS encryption is enabled for secure communication.
Save the changes and verify that the encryption settings are applied.
Using AWS CLI:
List the Transfer Family servers:
aws transfer describe-servers --query "Servers[*].ServerId"
For each server, check the Protocols and Encryption settings:
aws transfer describe-server --server-id <SERVER_ID>
Verify that the response includes the correct encryption settings (e.g., "TLS" or "SFTP").
If encryption in transit is not enabled, modify the server configuration to enable it:
aws transfer update-server --server-id <SERVER_ID> --protocols SFTP --logging-role <IAM_ROLE> --endpoint-type PUBLIC
Implementation Plan:
Using AWS Console:
Navigate to AWS Transfer Family in the AWS Management Console.
Select the server you want to modify from the list.
Under Encryption settings, ensure that SFTP is selected for encryption in transit or configure FTPS/FTP over TLS.
Save the changes and verify that the server now uses encryption in transit for file transfers.
Using AWS CLI:
If encryption in transit is not enabled, run the following command to update the server and enable it:
aws transfer update-server --server-id <SERVER_ID> --protocols SFTP --logging-role <IAM_ROLE> --endpoint-type PUBLICVerify the encryption settings using the describe-server command:
aws transfer describe-server --server-id <SERVER_ID>
Backout Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Transfer Family and select the Server that was modified.
Under Protocols, disable Encryption in transit or select a less restrictive TLS version if needed.
Save the changes and ensure the server is still functioning correctly without encryption.
Using AWS CLI:
To disable encryption in transit, run:
aws transfer update-server --server-id <SERVER_ID> --protocols "SFTP" --endpoint-details "TlsSecurityPolicy=TLSv1.0"Verify that encryption in transit is disabled:
aws transfer describe-server --server-id <SERVER_ID>
Reference:
CIS Controls: