Unexpected AWS API calls indicating creation of Transfer Family server
Description
AlphaSOC detected the creation of an AWS Transfer Family server, which provides managed SFTP, FTPS, or FTP endpoints for file transfer into and out of S3 buckets. While Transfer Family is a legitimate AWS service, the unexpected creation of a transfer server may indicate that an attacker is establishing a persistent file exfiltration channel or a command-and-control pathway using cloud-native infrastructure to blend in with normal operations.
Impact
An unauthorized AWS Transfer server provides a persistent, internet-accessible file transfer endpoint backed by S3 storage. Threat actors may use this to exfiltrate data over standard file transfer protocols that may bypass traditional network controls. If the transfer server is configured with broadly permissive authentication, it could also serve as an entry point for further compromise of the associated S3 buckets and their contents.
Severity
| Severity | Condition |
|---|---|
Informational | AWS Transfer Family server created |
Low | Unexpected AWS Transfer Family server creation |
Medium | Suspicious AWS Transfer Family server creation |
Investigation and Remediation
Review CloudTrail logs to identify the IAM principal that created the Transfer server and its configuration, including endpoint type, identity provider, and associated S3 buckets. Determine whether the creation was authorized. If unauthorized, delete the Transfer server immediately and review S3 bucket policies for associated access. Investigate the creating identity for additional compromise indicators and restrict Transfer Family creation.