AWS SFTP Service with IP Filtering

AWS provides fully managed SFTP servers with S3 as the backend storage.

It is pretty simple to set up and within a couple of hours, you should be able to set up an SFTP server over S3. But that is not what this post is about.

One of our ETL workflows is dependent on the data dump from another team. We decided to go ahead with S3 for storing the dump and implemented an automated pipeline, which gets triggered by S3 upload via Lambda code. Later the other team expressed their inability to upload data to S3 due to some security issues with S3 plugin in their ETL tool. Their ETL tool is located inside the corporate network and not in AWS. They asked us if we could set up an SFTP server for them instead of S3. AWS SFTP Service saved the day. By using AWS SFTP Service, we would continue to use S3 as the storage while the other team would authenticate via SFTP service, as per their requirements.

AWS SFTP service can be set up in one of the following two ways:

Since our requirement was to transfer data from the corporate network to AWS, we needed a public endpoint of the SFTP server.

Though the authentication mechanism in AWS SFTP service is SSH key-based (it doesn’t support password-based authentication), with quantum computers around the corner, I cannot leave my confidential data in a publicly exposed SFTP server. Moreover, I don’t know if there are any vulnerabilities or security issues in SFTP managed service, which would allow a hacker to access the confidential data.

In short, IP filtering is a MUST-HAVE feature that is missing from the AWS SFTP service. It is always wise to whitelist client IP and reject connections at the firewall level from all other IPs.

There is good official documentation on how to setup AWS SFTP server on top of an S3 bucket. I am not going to cover that. What follows includes the steps for enabling IP filtering on a publicly available AWS SFTP server.

The workaround for IP filtering in AWS SFTP server is to use a Network Load Balancer on top of SFTP service and use network ACLs for IP filtering. This isn’t as straight forward as it sounds.

1. New VPC or Subnet

A Network ACL is applicable to one or more subnets, which means that an ACL will restrict TCP port 22 (SFTP/SSH) access on everything (EC2, ELB etc.) created in that subnet. It is a good idea to create a new VPC (and its subnet) or a new subnet in an existing VPC, which is dedicated to the SFTP service.

2. Create VPC Endpoint for the new VPC/subnet

When you create the SFTP server in your VPC (instead of a public endpoint), this SFTP server will available only inside your VPC. If you want it to be available to the public network, you can expose it via VPC endpoint. You can think of a VPC endpoint as an entry point for your SFTP server.

For this VPC endpoint, create a new security group and allow TCP Port 22 access for the whole VPC CIDR block. This is to allow incoming SFTP connections from Network Load Balancer, which we are going to create in the next step.

3. Create Network Load Balancer (NLB)

The NLB should be configured with following details:

a. Internet facing

b. Listener should be on TCP protocol port 22

c. VPC and subnet should be the one from step 1

d. Create new Target Group with Target Type as ‘IP’, Protocol ‘TCP’ and Port ‘22’. Basically, we are telling NLB that it is should forward the incoming requests to an IP (in the new Target Group) using TCP on port 22.

e. When you Register the Target Group, provide the IP of your VPC Endpoint, which you created in step 2. You may use ‘nslookup’ or ‘dig’ to find the private IP of the VPC endpoint from its DNS name.

4. Create a new Network ACL for the subnet

Now all the pieces are in place. The last thing remaining is the one for which we started the whole exercise — Network ACL to restrict SFTP access.

Create a new Network ACL and add incoming rules to ALLOW TCP Port 22 access to your client IPs. Don’t forget to a rule to ALLOW ALL TCP outbound connections to ‘0.0.0.0’. Then add this ACL to the SFTP subnet.

You may now test the NLB endpoint and check that it allows SFTP connections only from the client IPs which have been whitelisted in the ACL.

AWS seems to have missed this basic feature of IP whitelisting/filtering from their SFTP managed service. Nobody wants to risk losing their data to hackers by allowing brute force attacks on the SFTP server or letting them exploit some vulnerability. Until AWS comes up with IP whitelisting/filtering on public SFTP servers, we should employ the workaround to secure our SFTP server.

Related posts:

No changes that occur will be long lasting until the general population decides that the previous way of life was not sustainable. We have an opportunity with the virus to really create a new world…

Little Red Riding Hood, Three Little Pigs, Petrus dan serigala, The Wolf dan tujuh kecil, Crane dan serigala… puluhan cerita ini menunjukkan The Wolf sebagai penjahat dari cerita-cerita. Orang miskin…

Powerful routines are more important than most of us realize. I came up with the importance of this idea after studying successful businessmen, and reading powerful books like the “Compound Effect”…