diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 0e36cd4ae9..429200ffc1 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -34,6 +34,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS WorkSpaces service metadata to new format [(#9483)](https://github.com/prowler-cloud/prowler/pull/9483) - Update AWS OpenSearch service metadata to new format [(#9383)](https://github.com/prowler-cloud/prowler/pull/9383) - Update AWS VPC service metadata to new format [(#9479)](https://github.com/prowler-cloud/prowler/pull/9479) +- Update AWS Transfer service metadata to new format [(#9434)](https://github.com/prowler-cloud/prowler/pull/9434) --- diff --git a/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.metadata.json b/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.metadata.json index f7f45c8241..2cd71477a5 100644 --- a/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.metadata.json +++ b/prowler/providers/aws/services/transfer/transfer_server_in_transit_encryption_enabled/transfer_server_in_transit_encryption_enabled.metadata.json @@ -1,32 +1,44 @@ { "Provider": "aws", "CheckID": "transfer_server_in_transit_encryption_enabled", - "CheckTitle": "Transfer Family Servers should have encryption in transit enabled.", + "CheckTitle": "Transfer Family server has encryption in transit enabled", "CheckType": [ - "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls" + "Software and Configuration Checks/AWS Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices", + "Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls", + "Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS", + "Software and Configuration Checks/Industry and Regulatory Standards/HIPAA Controls (USA)", + "Effects/Data Exposure" ], "ServiceName": "transfer", "SubServiceName": "", - "ResourceIdTemplate": "arn:partition:transfer:region:account-id:server/server-id", - "Severity": "medium", - "ResourceType": "AwsTransferServer", + "ResourceIdTemplate": "", + "Severity": "high", + "ResourceType": "Other", "ResourceGroup": "storage", - "Description": "Ensure that your Transfer Family servers have encryption in transit enabled.", - "Risk": "Using FTP for endpoint connections leaves data in transit unencrypted, making it susceptible to interception by attackers. FTP lacks encryption, which exposes your data to person-in-the-middle and other interception risks. Adopting encrypted protocols such as SFTP, FTPS, or AS2 provides a layer of protection that helps secure sensitive data during transfer.", - "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/transfer-family-server-no-ftp.html", + "Description": "**AWS Transfer Family servers** are evaluated for presence of the unencrypted `FTP` protocol among enabled protocols, as opposed to encrypted options like SFTP, FTPS, or AS2.", + "Risk": "Allowing **FTP** exposes credentials and file contents in cleartext, breaking confidentiality. Adversaries can sniff or perform **MITM** to read or alter files, compromising integrity and enabling credential theft that can be reused for broader unauthorized access.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/config/latest/developerguide/transfer-family-server-no-ftp.html", + "https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html#edit-protocols", + "https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-2" + ], "Remediation": { "Code": { - "CLI": "aws transfer update-server --server-id --protocols SFTP FTPS AS2", - "NativeIaC": "", - "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/transfer-controls.html#transfer-2", - "Terraform": "" + "CLI": "aws transfer update-server --server-id --protocols SFTP", + "NativeIaC": "```yaml\n# CloudFormation: ensure FTP is not enabled\nResources:\n :\n Type: AWS::Transfer::Server\n Properties:\n Protocols:\n - SFTP # CRITICAL: Use SFTP only; excludes FTP (unencrypted)\n```", + "Other": "1. Open AWS Console > AWS Transfer Family\n2. Go to Servers and select the server ()\n3. Click Edit next to Protocols\n4. Uncheck FTP and ensure at least SFTP (or FTPS/AS2) is selected\n5. Save", + "Terraform": "```hcl\n# Ensure FTP is not enabled\nresource \"aws_transfer_server\" \"\" {\n protocols = [\"SFTP\"] # CRITICAL: Excludes FTP to enforce encryption in transit\n}\n```" }, "Recommendation": { - "Text": "Configure AWS Transfer Family servers to use secure protocols, such as SFTP, FTPS, or AS2, instead of FTP to protect data in transit. These protocols offer encryption, reducing exposure to interception and manipulation attacks.", - "Url": "https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html#edit-protocols" + "Text": "Remove `FTP`; permit only **SFTP**, **FTPS**, or **AS2** to enforce **encryption in transit**.\n\nApply defense in depth: restrict by network location (allowlists/VPC), enforce strong cryptographic policies, and use least-privilege roles with monitoring.", + "Url": "https://hub.prowler.com/check/transfer_server_in_transit_encryption_enabled" } }, - "Categories": [], + "Categories": [ + "encryption" + ], "DependsOn": [], "RelatedTo": [], "Notes": ""