- 최신
- 최다 투표
- 가장 많은 댓글
Take this:
Choose the Right Endpoint Type:
AWS Transfer Family supports different endpoint types: Public (internet-facing), VPC (internal), and VPC with internet access. Select the one that suits your needs. For internal and internet-facing access, you might need a combination of VPC and public endpoints.
Configure Protocols:
Decide on the protocols you need (SFTP, FTPS, or FTP). Each protocol has its own setup requirements.
Set Up Identity Providers:
Use AWS Identity and Access Management (IAM), AWS Managed Microsoft AD, or custom identity providers for user authentication. This ensures secure access for both internal and external users.
Use Logical Directories:
Simplify directory structures by using logical directories. This helps in managing user access and organizing files effectively.
Secure Your Server:
For internet-facing endpoints, use Elastic IPs and configure security groups to allow access only from trusted IPs. For internal endpoints, ensure proper VPC configurations and firewall rules.
Optimize for NAT Architectures:
If using NAT (Network Address Translation), configure the PASV response address for FTPS to avoid connectivity issues.
To set up an AWS Transfer Family server that can communicate with both internal systems and external service providers, you can follow these steps:
-
Create a new Transfer Family server with the "VPC hosted" endpoint type.
-
Choose "Internet Facing" as the access type. This allows the server to be accessible from both internal networks and the internet.
-
Select an existing VPC or create a new one for your Transfer Family server.
-
Choose up to three Availability Zones and associated subnets for high availability.
-
Allocate Elastic IP addresses for each subnet you've selected. These will be used for internet-facing access.
-
Configure security groups to control inbound and outbound traffic to your server.
-
Optionally, set up a custom hostname for easier access.
-
Enable CloudWatch logging for monitoring and auditing purposes.
-
Configure your chosen identity provider (e.g., Service Managed, AWS Managed Microsoft AD, or custom IdP via API Gateway and Lambda).
-
Set up appropriate IAM roles and policies to control access to your S3 buckets or EFS file systems.
-
If additional security is needed, consider implementing AWS Web Application Firewall (WAF) in front of your API Gateway endpoint to protect against malicious traffic.
This setup allows your Transfer Family server to communicate securely with both internal systems (through the VPC) and external service providers (via the internet-facing endpoint). You can use SFTP, FTPS, or FTP protocols as needed, depending on your security requirements and the capabilities of your service providers and internal systems.
Remember to implement strong authentication methods and regularly review and update your security configurations to maintain a robust and secure file transfer environment.
Sources
Configuring an SFTP, FTPS, or FTP server endpoint - AWS Transfer Family
Create a server in a virtual private cloud - AWS Transfer Family
Securing AWS Transfer Family with AWS Web Application Firewall and Amazon API Gateway | AWS Storage Blog
