AWS CloudTrail logging for AWS Transfer Family - AWS Transfer Family

AWS CloudTrail logging for AWS Transfer Family

AWS Transfer Family integrates with both AWS CloudTrail and Amazon CloudWatch. CloudTrail and CloudWatch serve different but complementary purposes.

  • This topic covers integration with CloudTrail , an AWS service that creates a record of actions taken within your AWS account. It continuously monitors and records API operations for activities like console sign-ins, AWS Command Line Interface commands, and SDK/API operations. This allows you to keep a log of who took what action, when, and from where. CloudTrail helps with auditing, access management, and regulatory compliance by providing a history of all activity in your AWS environment. For details, see the AWS CloudTrail User Guide.

  • Amazon CloudWatch logging for AWS Transfer Family servers covers integration with CloudWatch, a monitoring service for AWS resources and applications. It collects metrics and logs to provide visibility into resource utilization, application performance, and overall system health. CloudWatch helps with operational tasks like troubleshooting issues, setting alarms and autoscaling. For details, see the Amazon CloudWatch User Guide.

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API operations, so they don't appear in any specific order.

For an ongoing record of events in your AWS account, including events for AWS Transfer Family, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:

All AWS Transfer Family actions are logged by CloudTrail and are documented in the Actions API reference. For example, calls to the CreateServer, ListUsers and StopServer actions generate entries in the CloudTrail log files.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • Whether the request was made with root or AWS Identity and Access Management user credentials.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

For more information, see the CloudTrail userIdentity element.

If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Transfer Family. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history.

Using the information collected by CloudTrail, you can determine the request that was made to AWS Transfer Family, the IP address from which the request was made, who made the request, when it was made, and additional details.

To learn more about CloudTrail, see the AWS CloudTrail User Guide.

Enable AWS CloudTrail logging

You can monitor AWS Transfer Family API operations using AWS CloudTrail. By monitoring API operations, you can get useful security and operational information. If you have Amazon S3 object level logging enabled, RoleSessionName is contained in the Requester field as [AWS:Role Unique Identifier]/username.sessionid@server-id. For more information about AWS Identity and Access Management (IAM) role unique identifiers, see Unique identifiers in the AWS Identity and Access Management User Guide.

Important

The maximum length of the RoleSessionName is 64 characters. If the RoleSessionName is longer, the server-id gets truncated.

Example log entry for creating a server

The following example shows a CloudTrail log entry (in JSON format) that demonstrates the CreateServer action.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AAAA4FFF5HHHHH6NNWWWW:user1", "arn": "arn:aws:sts::123456789102:assumed-role/Admin/user1", "accountId": "123456789102", "accessKeyId": "AAAA52C2WWWWWW3BB4Z", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-12-18T20:03:57Z" }, "sessionIssuer": { "type": "Role", "principalId": "AAAA4FFF5HHHHH6NNWWWW", "arn": "arn:aws:iam::123456789102:role/Admin", "accountId": "123456789102", "userName": "Admin" } } }, "eventTime": "2024-02-05T19:18:53Z", "eventSource": "transfer.amazonaws.com", "eventName": "CreateServer", "awsRegion": "us-east-1", "sourceIPAddress": "11.22.1.2", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "requestParameters": { "domain": "S3", "hostKey": "HIDDEN_DUE_TO_SECURITY_REASONS", "protocols": [ "SFTP" ], "protocolDetails": { "passiveIp": "AUTO", "tlsSessionResumptionMode": "ENFORCED", "setStatOption": "DEFAULT" }, "securityPolicyName": "TransferSecurityPolicy-2020-06", "s3StorageOptions": { "directoryListingOptimization": "ENABLED" } }, "responseElements": { "serverId": "s-1234abcd5678efghi" }, "requestID": "6fe7e9b1-72fc-45b0-a7f9-5840268aeadf", "eventID": "4781364f-7c1e-464e-9598-52d06aa9e63a", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789102", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "transfer.us-east-1.amazonaws.com" }, "sessionCredentialFromConsole": "true" }