๐Ÿชด Quartz 4.0

Search

SearchSearch

AWS Transfer Family

Dec 15, 20233 min read

What is SFTP

  • SFTP, SSH File Transfer Protocol
  • SSH based FTP, encrypted data is transfered, preventing information loss from interception
  • Uses 2 channel: one for control purpose, another for data transfer

AWS Transfer Family - SFTP Server

  • AWS Transfer Family is a secure transfer service that allows to transfer files into and out of AWS storage services
  • AWS Transfer Family offers fully managed support for the transfer of files over SFTP directly into and out of Amazon S3 or EFS
  • AWS Transfer Family provides access to a file transfer protocol-enabled server in AWS without running any server infrastructure
  • Associate hostname with the server endpoint, provision right level of access for users, then usersโ€™ transfer requests are serviced directly out of the server endpoint
  • SFTP server is configured with Interface type VPC Endpoint to control the access using Security Groups
  • Route 53 navigates traffic from the internet to the VPC endpoint through internet gateway
  • Network Access Control List for each ENI with EIP in each subnets will control the traffic before it reaches to the SFTP server

Route 53

  • DNS Service hosted by AWS, returns corresponding EIP

Internet Gateway

  • Allows VPC to communicate with the internet

Route Table

  • Contains local, IGW, and TGW routes

NACL

  • NACL is an Access List for Subnet, while SG is for instances
  • Access Control before entering subnet within the AZ
  • Subnet can only connect to 1 NACL, while NACL can be connected to several subnets
  • NACL has deny rules while SG only has allow rules
  • Rules are numbered and the rule with smallest number is applied first
  • Ingress & Outgress rule is applied seperately because itโ€™s stateless

Security Group

  • Inbound & Outbound traffic control virtual firewall
  • SG is applied to ENI, services with ENI within the VPC is applicable by the SG
  • Security Group is stateful, meaning outbound rule doesnโ€™t affect the traffic. Traffics that are from ingress are considered legitimate
  • Allows PZEN ip ingress

S3 Server Side Encryption Configuration

  • sse_algorithm = aws:kms
  • kms_master_key_id = kms_alias_arn
  • ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐ›๋Š” App or Service ์— ์˜ํ•ด ๋ฐ์ดํ„ฐ๋ฅผ ์•”ํ˜ธํ™”ํ•˜๋Š” ๊ฒƒ
    • S3 ํ”Œ๋žซํผ ๋‚ด์—์„œ ์ง„ํ–‰๋จ
    • ๋””์Šคํฌ์— ์ €์žฅ๋  ๋•Œ ๋ฐ์ดํ„ฐ ๊ฐ์ฒด๋ฅผ ์•”ํ˜ธํ™”
    • ์ ์ ˆํ•œ ๊ถŒํ•œ ์ฆ๋น™์„ ํ†ตํ•ด ๋ฐ์ดํ„ฐ ์ธ์ถœ ์‹œ ๋ณตํ˜ธํ™”
  • Types of Server Side Encryption
    1. SSE-S3: Encryption by AWS-managed key
    2. SSE-KMS: Encryption by AWS KMS
    3. SSE-C: Encryption by user-defined key

SSE-KMS

  • User-level management of keys
    • Some users can access the key, while others cannot, tracing is also possible
  • Requires โ€œx-amz-server-side-encryptionโ€:โ€œaws:kmsโ€ header
  • How itโ€™s encrypted
    1. Object is send through HTTPS + Header
    2. Pre-defined KMS Customer Master Key (CMK) encrypts the object
    3. Encrypted object is saved into the S3 Bucket

VPC Endpoint

  • A service that allows resources within the VPC to access
  • VPC ๋‚ด Resource ๋“ค์ด VPC ์™ธ๋ถ€์˜ ์„œ๋น„์Šค์— (S3, DynamoDB) ์ ‘๊ทผํ•  ๋•Œ Internet GW, NAT GW ๋“ฑ์˜ ์™ธ๋ถ€ Internet Transfer Service ๋ฅผ ํƒ€์ง€ ์•Š๊ณ  ๋‚ด๋ถ€ ๋„คํŠธ์›Œํฌ๋ฅผ ํ†ตํ•ด ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•ด์ฃผ๋Š” ์„œ๋น„์Šค
  • 2 Types of VPC Endpoint
    • Interface Endpoint: Uses ENI and EIP (SQS, SNS, Kinesis, and more)
      • Located in subnet
      • SFTP Server is using Interface Endpoint
    • Gateway Endpoint: Uses Route Table (S3, DDB, not much more)
      • Located in vpc

S3 Bucket

  • S3 Bucket is located inside the Region

Graph View

Backlinks

  • No backlinks found