Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable AWS Transfer for SFTP Logging Activity

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that AWS CloudWatch logging is enabled for your Amazon Transfer for SFTP servers in order to track SFTP user activity and meet regulatory requirements. Amazon Transfer for SFTP is a fully managed service that allows you to transfer files over Secure File Transfer Protocol (SFTP) into and out of Amazon S3 storage. The SFTP user activity logs contain records of user authentication (success and failure), data uploads (PUT requests) and data downloads (GET requests).

Security

FTP logging data can be extremely useful for security and compliance audits, tracking down issues or protecting against unauthorized user access. Once the Logging Activity feature is enabled, AWS CloudWatch Logs starts recording all SFTP user activity for your Amazon Transfer for SFTP servers.


Audit

To determine if your AWS Transfer for SFTP servers have Logging Activity feature enabled, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to AWS Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

03 In the navigation panel, under SFTP, choose Servers.

04 Choose the SFTP server that you want to examine, then click on the resource ID available in the Server ID column, to access the server configuration.

05 On the SFTP server configuration page, check the Logging role attribute value. If the configuration attribute does not have a value (i.e. an IAM role name), the selected Amazon Transfer for SFTP server does not have Logging Activity feature enabled.

06 Repeat step no. 4 and 5 to determine the feature status and configuration for other SFTP servers provisioned in the current region.

07 Change the AWS region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-servers command (OSX/Linux/UNIX) to list the IDs of all SFTP servers available in the selected AWS region – in this case the US East (N. Virginia) region:

aws transfer list-servers
    --region us-east-1
    --output table
    --query 'Servers[*].ServerId'

02 The command output should return a table with the requested SFTP server IDs:

-------------------------
|      ListServers      |
+-----------------------+
|  s-01234abcd1234abcd  |
|  s-011223344aabbccdd  |
|  s-0abcd1234abcd1234  |
+-----------------------+

03 Execute describe-server command (OSX/Linux/UNIX) using the ID of the Secure File Transfer Protocol (SFTP) server that you want to examine as identifier and custom query filters to return the name of the Identity and Access Management (IAM) role configured as logging role, required to enable CloudWatch logging of SFTP user activity for the selected server:

aws transfer describe-server
    --region us-east-1
    --server-id s-01234abcd1234abcd
    --query 'Server[*].LoggingRole'

04 The command output should return the request information (i.e. IAM role identifier):

null

If describe-server command output returns null, as shown in the example above, AWS CloudWatch logging is not enabled for the selected Amazon Transfer for SFTP server, therefore SFTP user activity is not recorded for the specified server.

05 Repeat step no. 3 and 4 to determine the SFTP user activity logging status and configuration for other SFTP servers available within the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Activity Logging feature, you have to create first an IAM role so that your SFTP servers can assume this role and use it to call AWS CloudWatch service on your behalf. To enable SFTP user activity logging for your existing Amazon Transfer for SFTP servers, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 Click Create policy from the dashboard top menu to initiate the IAM policy setup.

05 On the Create policy page, select the JSON tab from the top panel, paste the following policy document and click Review policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "sftp-activity-logging-role-policy",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

06 On the Review policy page, type a unique name for your new IAM policy in the Name box, then click Create policy to save the changes and create the required IAM policy.

07 In the left navigation panel, choose Roles.

08 Click Create role button from the dashboard top menu to create a new IAM role.

09 On Select type of trusted entity panel, select AWS service category and choose Transfer from Choose the service that will use this role list. Click Next: Permissions to continue.

10 On Permissions panel, select the name of the IAM policy created at the previous steps from the Attach permissions policies section list. Click Next: Tags button to continue the setup process.

11 On Add tags (optional) panel, define the tags that you can add to your new role. Click Next: Review to continue.

12 On Review panel, provide a unique name and a description for your new IAM role, then click Create role to complete the setup process and create the required IAM role.

13 Navigate to AWS Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

14 In the navigation panel, under SFTP, choose Servers.

15 Choose the SFTP server that you want to reconfigure, then click on the server ID available in the Server ID column.

16 On the selected SFTP server details page, within Server configuration section, click the Edit button to access the resource configuration edit mode.

17 On the Edit configuration page, in the Logging role section, select the IAM role created earlier in the process from the Logging role dropdown list.

18 Click Save to apply the changes and enable SFTP user activity logging. As soon as SFTP user activity is detected, the logs are published to AWS CloudWatch Logs.

19 Reconfigure other Amazon Transfer for SFTP servers available in the selected AWS region to make use of Logging Activity feature.

20 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, choose Policies.

04 Click Create policy from the dashboard top menu to initiate the IAM policy setup.

05 On the Create policy page, select the JSON tab from the top panel, paste the following policy document and click Review policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "sftp-activity-logging-role-policy",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

06 On the Review policy page, type a unique name for your new IAM policy in the Name box, then click Create policy to save the changes and create the required IAM policy.

07 In the left navigation panel, choose Roles.

08 Click Create role button from the dashboard top menu to create a new IAM role.

09 On Select type of trusted entity panel, select AWS service category and choose Transfer from Choose the service that will use this role list. Click Next: Permissions to continue.

10 On Permissions panel, select the name of the IAM policy created at the previous steps from the Attach permissions policies section list. Click Next: Tags button to continue the setup process.

11 On Add tags (optional) panel, define the tags that you can add to your new role. Click Next: Review to continue.

12 On Review panel, provide a unique name and a description for your new IAM role, then click Create role to complete the setup process and create the required IAM role.

13 Navigate to AWS Transfer for SFTP service dashboard at https://console.aws.amazon.com/transfer/.

14 In the navigation panel, under SFTP, choose Servers.

15 Choose the SFTP server that you want to reconfigure, then click on the server ID available in the Server ID column.

16 On the selected SFTP server details page, within Server configuration section, click the Edit button to access the resource configuration edit mode.

17 On the Edit configuration page, in the Logging role section, select the IAM role created earlier in the process from the Logging role dropdown list.

18 Click Save to apply the changes and enable SFTP user activity logging. As soon as SFTP user activity is detected, the logs are published to AWS CloudWatch Logs.

19 Reconfigure other Amazon Transfer for SFTP servers available in the selected AWS region to make use of Logging Activity feature.

20 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Define the access policy that allows AWS CloudWatch logging. To create the IAM policy for the required AWS IAM role, save the following JSON document to a file named cc-activity-logging-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ActivityLoggingRolePolicy",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

02 Create the trust relationship (Trusted Entities) policy that will be associated with the new IAM role. To create the required trust relationship policy, save the following document to a JSON file named cc-sftp-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

03 Run create-role command (OSX/Linux/UNIX) to create the AWS IAM role that your SFTP server(s) will assume, using the trust relationship policy defined at the previous step:

aws iam create-role
    --role-name cc-activity-logging-iam-role
    --assume-role-policy-document file://cc-sftp-trust-policy.json

04 The command output should return the new IAM role metadata, e.g:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Condition": {},
                    "Principal": {
                        "Service": "transfer.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAABBBBCCCCDDDDAAAA",
        "CreateDate": "2019-02-01T11:57:39Z",
        "RoleName": "cc-activity-logging-iam-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-activity-logging-iam-role"
    }
}

05 Run put-role-policy command (OSX/Linux/UNIX) to attach the IAM access policy defined at step no. 1 to the new AWS IAM role (the command does not produce an output):

aws iam put-role-policy
    --role-name cc-activity-logging-iam-role
    --policy-name cc-activity-logging-iam-policy
    --policy-document file://cc-activity-logging-policy.json

06 Run update-server command (OSX/Linux/UNIX) using the ARN of the IAM role returned at step no. 4 as value for the --logging-role command parameter, to associate the specified IAM role with the selected SFTP server in order to enable SFTP user activity logging:

aws transfer update-server
    --region us-east-1
    --server-id s-01234abcd1234abcd
    --logging-role arn:aws:iam::123456789012:role/cc-activity-logging-iam-role

07 The command output should return the command request metadata, in this case the ID of the modified SFTP server:

{
    "ServerId": "s-01234abcd1234abcd"
}

08 Reconfigure other Amazon Transfer for SFTP servers provisioned in the selected AWS region to enable SFTP user activity logging.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire process for other regions.

References

Publication date Feb 4, 2019