Transfer Family Servers Should Have Encryption in Transit Enabled
Overview
This check ensures that your AWS Transfer Family servers use encrypted protocols for file transfers. Transfer Family supports several protocols: SFTP (SSH File Transfer Protocol), FTPS (FTP over SSL/TLS), AS2 (Applicability Statement 2), and plain FTP. Only SFTP, FTPS, and AS2 provide encryption in transit.
Using unencrypted FTP exposes your data and credentials to anyone who can intercept network traffic.
Risk
When a Transfer Family server allows FTP connections:
- Data exposure: Files are transmitted in plain text and can be read by attackers
- Credential theft: Usernames and passwords are sent unencrypted
- Man-in-the-middle attacks: Attackers can intercept and modify files during transfer
- Compliance violations: Many regulatory frameworks require encryption for data in transit
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Transfer Family servers
- If switching to FTPS, you need an ACM (AWS Certificate Manager) certificate
AWS Console Method
- Sign in to the AWS Console and navigate to AWS Transfer Family
- In the left navigation, click Servers
- Select the server you want to update
- Click Edit in the Protocols section
- Uncheck FTP if it is enabled
- Ensure at least one encrypted protocol is selected:
- SFTP (recommended for most use cases)
- FTPS (requires an ACM certificate)
- AS2 (for B2B integrations)
- Click Save
Important: Removing FTP will disconnect any clients currently using FTP. Coordinate with your users before making this change.
AWS CLI (optional)
List Your Transfer Family Servers
First, identify which servers need remediation:
aws transfer list-servers \
--region us-east-1 \
--query 'Servers[*].[ServerId,IdentityProviderType]' \
--output table
Check Current Protocol Configuration
View the current protocols for a specific server:
aws transfer describe-server \
--server-id s-1234567890abcdef0 \
--region us-east-1 \
--query 'Server.Protocols'
Update Server to Use SFTP Only
Remove FTP and enable only SFTP:
aws transfer update-server \
--server-id s-1234567890abcdef0 \
--protocols SFTP \
--region us-east-1
Update Server to Use FTPS
If you need FTPS instead, you must also provide an ACM certificate ARN:
aws transfer update-server \
--server-id s-1234567890abcdef0 \
--protocols FTPS \
--certificate arn:aws:acm:us-east-1:123456789012:certificate/your-cert-id \
--region us-east-1
Enable Multiple Encrypted Protocols
You can enable multiple encrypted protocols on the same server:
aws transfer update-server \
--server-id s-1234567890abcdef0 \
--protocols SFTP FTPS \
--certificate arn:aws:acm:us-east-1:123456789012:certificate/your-cert-id \
--region us-east-1
CloudFormation (optional)
SFTP Server Template
AWSTemplateFormatVersion: '2010-09-09'
Description: Transfer Family server with encryption in transit enabled
Parameters:
ServerName:
Type: String
Description: Name tag for the Transfer Family server
Default: example-sftp-server
Resources:
SFTPServer:
Type: AWS::Transfer::Server
Properties:
Protocols:
- SFTP
IdentityProviderType: SERVICE_MANAGED
EndpointType: PUBLIC
Tags:
- Key: Name
Value: !Ref ServerName
Outputs:
ServerArn:
Description: ARN of the Transfer Family server
Value: !GetAtt SFTPServer.Arn
ServerId:
Description: ID of the Transfer Family server
Value: !GetAtt SFTPServer.ServerId
FTPS Server Template
For FTPS, you need to specify an ACM certificate:
AWSTemplateFormatVersion: '2010-09-09'
Description: Transfer Family FTPS server with encryption in transit
Parameters:
CertificateArn:
Type: String
Description: ARN of the ACM certificate for FTPS
Resources:
FTPSServer:
Type: AWS::Transfer::Server
Properties:
Protocols:
- FTPS
IdentityProviderType: SERVICE_MANAGED
EndpointType: PUBLIC
Certificate: !Ref CertificateArn
Tags:
- Key: Name
Value: example-ftps-server
Outputs:
ServerId:
Description: ID of the Transfer Family server
Value: !GetAtt FTPSServer.ServerId
Deploy the Stack
aws cloudformation deploy \
--template-file template.yaml \
--stack-name transfer-sftp-server \
--region us-east-1
Terraform (optional)
SFTP Server Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_transfer_server" "sftp_server" {
protocols = ["SFTP"]
identity_provider_type = "SERVICE_MANAGED"
endpoint_type = "PUBLIC"
tags = {
Name = "example-sftp-server"
}
}
output "server_id" {
description = "ID of the Transfer Family server"
value = aws_transfer_server.sftp_server.id
}
FTPS Server Configuration
For FTPS, include the ACM certificate:
resource "aws_transfer_server" "ftps_server" {
protocols = ["FTPS"]
identity_provider_type = "SERVICE_MANAGED"
endpoint_type = "PUBLIC"
certificate = "arn:aws:acm:us-east-1:123456789012:certificate/your-cert-id"
tags = {
Name = "example-ftps-server"
}
}
Apply the Configuration
terraform init
terraform plan
terraform apply
Verification
After making changes, verify the server uses only encrypted protocols:
- In the AWS Console, navigate to Transfer Family > Servers
- Select your server and check the Protocols section
- Confirm only SFTP, FTPS, or AS2 are listed (no FTP)
CLI Verification
aws transfer describe-server \
--server-id s-1234567890abcdef0 \
--region us-east-1 \
--query 'Server.Protocols' \
--output text
The output should show only encrypted protocols (SFTP, FTPS, or AS2), not FTP.
Additional Resources
- AWS Transfer Family User Guide
- Edit Server Configuration - Protocols
- AWS Security Hub Transfer Controls
- AWS Config Rule: transfer-family-server-no-ftp
Notes
- Client impact: Removing FTP will break connections for any clients currently using FTP. Coordinate migration with your users before making changes.
- FTPS requirements: FTPS requires a valid ACM certificate. Ensure your certificate is provisioned and validated before enabling FTPS.
- Protocol differences:
- SFTP uses SSH for encryption (port 22) - simplest to set up
- FTPS uses TLS/SSL (ports 21, 990) - requires certificate management
- AS2 is designed for B2B EDI transactions with message-level encryption
- Security policy: Consider also configuring a strong security policy to control which cryptographic algorithms are allowed. Use
TransferSecurityPolicy-2024-01or newer for best security.