By using AWS re:Post, you agree to the Terms of Use

Custom Identity Provider - SSH Key and/or Password Auth



I'm interested in using AWS Transfer for SFTP to replace a number of aging SFTP servers that have hundreds of users and rely on local linux account authentication and chrooting for security.

I have spent a lot of time looking over this forum and the AWS documentation for the SFTP offering. I have a number of concerns I'm hoping can be addressed by the community:

  1. Is there a custom identity provider I can plugin to today that allows a mixture of password authentication, SSH key authentication and allows end-users to perform self-service password resets? We have hundreds of users (password auth) as well as service/automated accounts (SSH key auth).

Secrets Manager will allow both auth methods, but there doesn't seem to be a way for end users to have direct control over their passwords or perform self-service resets. Additionally, administrators with access to Secrets Manager would have access to the plaintext version of passwords, which is not a security best practice.

Identity is one of the most important pieces of the solution and it happens to be more complex with AWS SFTP than any other solution on the market today when you factor in real-world use cases of mixed authentication, security requirements, and being forced to use API Gateway, Lambda functions, etc.

  1. Is there any solution that will allow for whitelisting IP access to the server which doesn't add significantly to the complexity/cost of the solution? If not, then how are we supposed to address risks of having an internet-accessible server (bruteforce attempts)?

Based on the documentation, to enable whitelisting, I would need:
-a VPC
-an NLB with an elastic IP
-a firewall in front of all that

There is no formal documentation on how to setup all the pieces above and have it work successfully, and I'm not sure anyone has done it yet who can demonstrate it will actually work.

It would be great to have these addressed with a solution today, or see if AWS is working on functionality.

asked 3 years ago30 views
1 Answer

Thanks for the details. Follow up questions:
#1 - How do you expect the users to reset their passwords? Using a web portal or through an SFTP client?
#2 - We do have a blog post that talks about the steps and points you to relevant documentation: You would need to whitelist source IPs using the subnet (around the NLB)' NACLs. Let me know if it's helpful.


answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions