< Home

SFTP Gateway Security Notes

• Our SFTP -> S3 solution does not require a custom or modified version of sshd. We are using the latest, unmodified version of OpenSSH that ships with the stock Amazon Linux AMI. Other potential solutions out there rely on custom implementations or modified versions of ssh which do not have the global support that OpenSSH has. So when it comes to security, our solution is just as as secure as OpenSSH.

• We have preconfigured sshd with adequate security settings. All SFTP users have the login shell disabled. They are all chrooted to their nested home directories. They are only allowed to write to their "uploads" directory.

• We enforce key based authentication by default. Password authentication is not allowed in our default sshd_config.

• The only potential area of exposure is access to the S3 Buckets. We can lock down permission to a single bucket used by SFTP Gateway. However, since version 1.003 now allows you to specify custom S3 buckets and paths for each user, we don't do that by default. However, you can modify the IAM Role used by the SFTP Gateway server to allow it to access only the buckets you need. See this wiki page for further details.

• For additional security, you can put the SFTP Gateway server in an isolated VPC. It should not need to access any other servers in your environment. So having it in its own VPC would physically isolate it from your critical application servers. Both VPC's will be able to access S3 just fine. But this way, if the SFTP server is somehow compromised, it cannot access the rest of your network.