Security Considerations.


As a protocol developed in the early 1970s, FTP has some specific considerations which are unusual in the present day. In particular, regular FTP transfers data unencrypted. BucketBridge supports FTPS (also known as FTP+TLS) from version 20181114 and greater, and it is strongly suggested that you use this where possible.


If you need to use regular encrypted FTP, it is strongly suggested that you utilise a VPN between machines outside your AWS VPC and the BucketBridge instance. This will ensure encryption of data over the Internet.

For larger configurations, or those that require high bandwidth, AWS Direct Connect provides a dedicated private connection.

Both of these solutions provide connectivity to your entire AWS estate, and are not specific to BucketBridge.

Encryption at Rest

BucketBridge natively interfaces FTP to S3 in real-time. As such, data is never stored on the BucketBridge server.

For data storage within the S3 bucket, BucketBridge supports AES256 server-side encryption. For S3 buckets created using the provided CloudFormation template, AES256 encryption is already enabled.

Password complexity

BucketBridge does not enforce specific password complexity. The administrator should ensure that all passwords used conform to their internal guidelines.

Port usage

FTP uses a range of ports, with the ports being used varying depending on whether active or passive mode FTP is used. BucketBridge supports both active and passive mode FTP.

Where possible, it is recommended passive mode is used. In active mode, when a client issues a transfer command, the server opens a connection to the client. In passive mode, all connections are made from the client to the server, simplifying firewall requirements.