Transfer.2: Transfer servers should not use FTP

What does AWS Security Hub Transfer.2 check?

Transfer.2 fails when an AWS Transfer Family server has FTP enabled in its list of protocols. FTP carries credentials and data in clear text.

Why does Transfer.2 matter?

FTP predates TCP/IP and was designed for a small, trusted network where encryption was never part of the model. On a modern managed service it means usernames, passwords and file contents cross the network unencrypted — readable by anyone on the path. The protocol still works; the threat environment around it does not justify it.

How do I fix Transfer.2?

1. List Transfer servers and inspect their `Protocols` to find any with FTP enabled.
2. Migrate partners to SFTP (SSH key-based) or FTPS (TLS), bearing in mind the two authenticate very differently.
3. Plan credential migration and confirm client compatibility before the cutover so partner transfers do not break.
4. Remove FTP from the server's protocol list once partners are migrated, leaving only SFTP and/or FTPS.

# Close the highest-blast-radius mode first: confirm and remove the root access key.
# (Deletion is done as the root user via the console; an IAM identity cannot do it.)
aws iam get-account-summary --query 'SummaryMap.AccountAccessKeysPresent'
# Expect 0 after deletion.

# Close a public EKS endpoint (only after confirming a private path exists).
aws eks update-cluster-config --name svc-orders \
  --resources-vpc-config endpointPublicAccess=false,endpointPrivateAccess=true

# Disable legacy ACLs on a bucket and let policy govern access.
aws s3api put-bucket-ownership-controls --bucket my-legacy-assets \
  --ownership-controls 'Rules=[{ObjectOwnership=BucketOwnerEnforced}]'

# Migrate a Transfer Family server off plain FTP to SFTP only.
aws transfer update-server --server-id s-0a1b2c3d4e5f --protocols SFTP