I have an EC2 instance that is setup as an SFTP server using OpenSSH. It only allows connections on whitelisted IPs via TCP Port 22 (limited via an EC2 Security Group). I constantly have customers try to connect from other IPs that they have not been whitelisted. I'd like to track those attempted connections and the IPs they come from so I can help them figure out their IP addresses.
Is it possible to see these IP addresses from the server? Can I also see the connection attempt and get the SFTP username?
AWS has a feature called VPC Flow Log that captures all the traffic coming to a VPC or a particular subnet or a particular network interface. You can setup VPC Flow log and these logs are then populated to AWS CloudWatch. It gives a very descriptive Log information and you can filter your query from that. Check more on AWS VPC Flow Log
If you want to see dropped traffic you'll need to do the whitelist using a firewall running on your EC2 instance, not the AWS infrastructure. (Your server cannot log/see traffic that it doesn't receive).
You may want to look into something like Fail2Ban.
A word of advice, there are bot nets that will try to connect to your IP (especially on EC2) via SSH using weak usernames and passwords. You'll only drive yourself insane trying to track down every failed login attempt or attempt to connect. A single box can get hundreds of these a day; you have been warned.