AWS Transfer for SFTP
User Guide

Monitoring Usage

You can monitor activity in your SFTP server using Amazon CloudWatch and AWS CloudTrail. For further analysis, you can also record SFTP server activity as readable, near real-time metrics.

Enabling AWS CloudTrail Logging

You can monitor AWS SFTP API calls using AWS CloudTrail. By monitoring API calls, you can get useful security and operational information. For more information on how to work with CloudTrail and AWS SFTP, see Logging AWS Transfer for SFTP API Calls with AWS CloudTrail.

Logging Activity with CloudWatch

To enable Amazon CloudWatch logging, you start by providing an IAM role. You can do this either by creating an SFTP server or by editing an existing SFTP server. For more information about CloudWatch, see What Is Amazon CloudWatch? and What is Amazon CloudWatch Logs? in the Amazon CloudWatch User Guide.

To enable CloudWatch logging for your SFTP server

  1. Create an IAM policy that allows CloudWatch logging (shown following).

  2. Create an IAM role and attach the policy to it. The SFTP server assumes this role and uses it to call AWS services on your behalf.

  3. Establish a trust relationship between AWS SFTP and AWS.

Note

AWS Transfer for SFTP is not listed in the services so choose Storage Gateway as a work-around to create a role. Edit the trust relationship to replace storagegateway with transfer as the Service Principal

Use the contents following to create your own IAM policy that allows CloudWatch logging.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ] }

The policy also requires a trust relationship.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

To view the logs, choose View logs in the Server configuration page.

Choosing View logs sends you to the CloudWatch page for your server. On that page, you can see records of user authentication (success and failure), data uploads (PUT operations), and data downloads (GET operations).