Use AWS PrivateLink for Transfer for SFTP Server Endpoints

01 Sign in to AWS Management Console.

02 Navigate to AWS Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Choose the SFTP server that you want to examine, then click on the resource ID available in the Server ID column, to view the server configuration page.

05 On the resource configuration page, check the Endpoint type attribute value. If the value is Public, the endpoint of the selected Amazon Transfer for SFTP server is publicly accessible, therefore the server access configuration is not compliant.

06 Repeat step no. 4 and 5 to check the endpoint type for other SFTP servers provisioned in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

01 Run list-servers command (OSX/Linux/UNIX) to list the IDs of all SFTP servers available in the selected AWS region – in this case the US East (N. Virginia) region:

aws transfer list-servers
    --region us-east-1
    --output table
    --query 'Servers[*].ServerId'

02 The command output should return a table with the requested SFTP server IDs:

-------------------------
|      ListServers      |
+-----------------------+
|  s-0abcd1234abcd1234  |
|  s-01234567890123456  |
+-----------------------+

03 Execute describe-server command (OSX/Linux/UNIX) using the ID of the Secure File Transfer Protocol (SFTP) server that you want to examine as identifier parameter and custom query filters to return the endpoint type for the selected SFTP server:

aws transfer describe-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234
    --query 'Server.EndpointType'

04 The command output should return the request configuration information:

"PUBLIC"

05 Repeat step no. 3 and 4 to determine the server endpoint type for other SFTP servers available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to Amazon Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Select the SFTP server that you want to reconfigure, click the Actions dropdown button from the dashboard top menu and select Stop to stop the selected server.

05 In the Stop <server-id> dialog box, click Stop to confirm the action. Wait for the Status of the server to change to Offline before going further with the process.

06 Now that the server is offline, click on the resource ID available in the Server ID column to view the server configuration page.

07 Within Server configuration section, click the Edit button to edit the resource configuration.

08 On the Edit configuration page, in the Endpoint configuration section, select VPC for the Endpoint type to change the server access endpoint from public to VPC.

09 Choose a VPC endpoint from VPC endpoint dropdown list if you already have created a VPC endpoint for your SFTP server or click Create a VPC endpoint button and follow the steps of the setup wizard to create a new VPC endpoint.

10 Once the appropriate VPC endpoint is selected, click Save to apply the changes.

11 Back to the resource configuration page, click Actions and choose Start to bring your server back online. The Endpoint type attribute value should be now changed to VPC.

12 If required, repeat steps no. 4 – 11 to change the endpoint type for other Amazon Transfer for SFTP servers available in the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to Amazon Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Select the SFTP server that you want to reconfigure, click the Actions dropdown button from the dashboard top menu and select Stop to stop the selected server.

05 In the Stop <server-id> dialog box, click Stop to confirm the action. Wait for the Status of the server to change to Offline before going further with the process.

06 Now that the server is offline, click on the resource ID available in the Server ID column to view the server configuration page.

07 Within Server configuration section, click the Edit button to edit the resource configuration.

08 On the Edit configuration page, in the Endpoint configuration section, select VPC for the Endpoint type to change the server access endpoint from public to VPC.

09 Choose a VPC endpoint from VPC endpoint dropdown list if you already have created a VPC endpoint for your SFTP server or click Create a VPC endpoint button and follow the steps of the setup wizard to create a new VPC endpoint.

10 Once the appropriate VPC endpoint is selected, click Save to apply the changes.

11 Back to the resource configuration page, click Actions and choose Start to bring your server back online. The Endpoint type attribute value should be now changed to VPC.

12 If required, repeat steps no. 4 – 11 to change the endpoint type for other Amazon Transfer for SFTP servers available in the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

01 Run stop-server command (OSX/Linux/UNIX) to change the state of the specified SFTP server from ONLINE to OFFLINE (the command does not produce an output):

aws transfer stop-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234

02 Run update-server command (OSX/Linux/UNIX) using the ID of the Secure File Transfer Protocol (SFTP) server that you want to reconfigure, stopped at the previous step, and the ID of the required VPC endpoint as command parameters, to change the selected resource endpoint type from public to VPC:

aws transfer update-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234
    --endpoint-type VPC_ENDPOINT
    --endpoint-details VpcEndpointId=vpce-0aaaabbbbccccdddd

03 The command output should return the command request metadata, in this case the ID of the modified SFTP server:

{
    "ServerId": "s-0abcd1234abcd1234"
}

04 Run start-server command (OSX/Linux/UNIX) to bring the reconfigured SFTP server back online (the command does not produce an output):

aws transfer start-server
    --region us-east-1
    --server-id s-0abcd1234abcd1234

05 If required, repeat steps no. 1 – 4 to change the endpoint type for other Amazon Transfer for SFTP servers available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire process for other regions.