Q: What is AWS Transfer for SFTP?
A: AWS Transfer for SFTP (AWS SFTP) is a fully managed service hosted in AWS that enables the transfer of files over SFTP directly in and out of Amazon S3.
Q: What is SFTP and where is it used?
A: SFTP stands for Secure Shell (SSH) File Transfer Protocol, a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH, and is widely used to exchange data between business partners in a variety of industries including financial services, healthcare, media and entertainment, retail, advertising, and more.
Q: Why should I use AWS SFTP?
A: Today, if you are using SFTP to exchange data with third parties such as vendors, business partners, or customers, and want to manage that data in AWS for processing, analytics, and archival, you have to host and manage your own SFTP service. This requires you to invest in operating and managing infrastructure, patching servers, monitoring for uptime and availability, and building one-off mechanisms to provision users and audit their activity. AWS SFTP solves these challenges by providing a fully managed SFTP service that can reduce your operational burden, while preserving your existing transfer workflows for your end users. The service stores transferred files as objects in your Amazon S3 bucket, so you can extract value from them in your data lake, or for your Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) workflows, or for archiving in AWS.
Q: What are the benefits of using AWS SFTP?
A: AWS SFTP provides you with a fully managed, highly available SFTP service with auto-scaling capabilities, eliminating the need for you to manage SFTP-related infrastructure. With AWS SFTP, your end users’ workflows remain unchanged, while data uploaded and downloaded over SFTP is stored in your Amazon S3 bucket. With the data in Amazon S3, you can now easily use it with the broad array of AWS services for data processing, analytics, machine learning, and archival, in an environment that can meet your compliance requirements.
Q: How do I use AWS SFTP?
A: In 3 simple steps, you can get a persistent and highly available “SFTP server” in AWS. First, you associate your existing SFTP hostname(s) with the SFTP server endpoint. Next, you set up your users by selecting your identity provider for authentication – Service Managed or a directory service like Microsoft AD. Finally, you choose the S3 bucket(s) and assign IAM Roles for access. Once the service endpoint, identity provider, and S3 bucket access policies are enabled, your users can continue to use their existing clients and configurations while the data they access is stored in your S3 bucket.
Q: Can I use CloudFormation to automate deployment of my SFTP servers and users?
A: Yes, you can deploy CloudFormation templates to automate creation of your SFTP servers and users or for integrating an identity provider. Refer to the usage guide for using AWS Transfer for SFTP resources in CloudFormation templates.
Q: Can my users use SCP, FTP, or FTP/S (FTP over SSL) to transfer files using this service?
A: No, your users will need to use SFTP to transfer files. Most file transfer clients offer SFTP as an option that will need to be selected when transferring files using AWS SFTP.
Server endpoint options
Q: Can I use my corporate domain name (sftp.mycompanyname.com) to access my SFTP endpoint?
A: Yes. If you already have a domain name, you can use Amazon Route53 or any DNS service to route your users’ traffic from your registered domain to the server endpoint in AWS. Refer to the documentation on how AWS Transfer uses Amazon Route 53 for custom domain names applicable to internet facing endpoints only.
Q: Can I still use the service if I don’t have a domain name?
A: Yes, if you don’t have a domain name, your users can access your server endpoint using the hostname provided by AWS SFTP. Alternatively, you can register a new domain using the Amazon Route 53 Console or API and route traffic from this new domain to your SFTP server endpoint.
Q: Can I use my domain that already has a public zone?
A: Yes, you will need to CNAME the domain to the SFTP server hostname.
Q: Can I set up my SFTP server endpoint to be accessible only within my VPC?
A: Yes. When you create a server or update an existing one, you have the option to specify whether you want the endpoint to be accessible over the public internet or within your VPC. Using a VPC endpoint for your server makes it accessible only to clients within the same VPC, other VPCs you specify, or in on-premises environments using networking technologies that extend your VPC such as AWS Direct Connect, AWS VPN, or VPC peering. You can further restrict access to resources in specific subnets within your VPC using subnet Network Access Control Lists (NACLs) or endpoint Security Groups. Refer to the documentation on creating your server endpoint inside your VPC using AWS PrivateLink for details.
Q: Can my end users use fixed IP addresses to whitelist access to an SFTP server's endpoint in their firewalls?
A: Yes. You can enable fixed IPs for your server endpoint by selecting the VPC endpoint for your server and choosing the internet-facing option. This will allow you to attach Elastic IPs (including BYO IPs) to your server’s endpoint, which is assigned as the endpoint’s IP address Refer to the section on Creating an internet facing endpoint in the documentation: Creating your server endpoint inside your VPC.
Q: Can I restrict incoming traffic by end users’ source IP addresses?
A: Yes. You can attach Security Groups to your server’s VPC endpoint which will control inbound traffic to your server. Refer to the section on Creating an internet facing endpoint in the documentation: Creating your server endpoint inside your VPC.
Q: Can my SFTP clients use fixed IP addresses to access my SFTP server whose endpoint type is PUBLIC?
A: No. Fixed IP addresses that are usually used for firewall whitelisting purposes are currently not supported on the PUBLIC Endpoint type.
Q: What IP ranges would my end users need to whitelist to access my SFTP server’s endpoint type that is PUBLIC?
A: If you are using the PUBLIC endpoint type, your users will need to whitelist the AWS IP address ranges published here. Refer to the documentation for details on staying up to date with AWS IP Address Ranges.
Q: Will my AWS SFTP server's host key ever change after I create the server?
A: No. The server’s host key that is assigned when you create the server remains the same, until you delete and create a new one.
Q: Can I import keys from my current SFTP host so my users do not have to reverify the session information?
A: Yes. You can provide a RSA host key when you create a new server, or update an existing one. This key will be used by your end users’ clients to identify your server. Refer to the documentation on using the AWS CLI/SDKs for uploading a Host Key for your server.
Q: Can my users continue to use their existing SFTP clients or transfer applications?
A: Yes, any existing SFTP client or SFTP transfer application will continue to work with AWS SFTP. Examples of commonly used SFTP clients include WinSCP, FileZilla, CyberDuck, and OpenSSH clients.
Q: How does the service authenticate my users?
A: The service supports two modes of authentication, using the service to store and access user identities, and using a custom identity provider.
Service managed authentication
Q: How can I authenticate my users using service managed authentication?
A: You can use SSH key based authentication if you are using the service to store and access user identities.
Q: How many SSH keys can I upload per user?
A: You can upload up to 10 SSH keys per user. Note that adding more keys increases login time as the server will need to evaluate each of them until a match is found for successful authentication.
Q: Is key rotation supported for service managed authentication?
A: Yes. Refer to the documentation for details on how to set up key rotation using the service.
Q: Can I lock my service managed users to their designated home directories (“chroot”)?
Yes, when you add a new user, or update an existing one, you can select the “restricted” checkbox. This maps the root of your user’s client to the assigned home directory location in your S3 bucket, “chrooting” them to that location.
Q: Can I use the service managed authentication for password authentication?
A: No. Storing passwords within the service for authentication is currently not supported for SFTP. If you need password authentication for SFTP, visit the blog post on 'Enabling Password Authentication using Secrets Manager.'
Q: Are anonymous users supported?
A: No. Anonymous users are currently not supported.
Custom identity provider
Q: Can I leverage my existing identity provider to manage my SFTP users?
A: AWS SFTP allows you to plug-in your existing identity provider so you can migrate your users whose credentials are stored in your corporate directory. Examples of identity providers include Microsoft Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or custom identity providers.
Q: How do I get started in integrating my existing identity provider for user authentication?
A: To get started, we recommend using the AWS CloudFormation template and provide the necessary information for user authentication and access. Visit the website on custom identity providers to learn more.
Q: When setting up my users via a custom identity provider, what information is used to enable access to my users?
A: Your user will need to provide a username and password (or SSH key) which will be used to authenticate, and access to your bucket is determined by the AWS IAM Role supplied by the API Gateway and Lambda used to query your identity provider. You will also need to provide home directory information, and it is recommended that you lock them down to the designated home folder for an additional layer of security and usability. Refer to this blog post on how to simplify your end users’ experience when using a custom identity provider with AWS SFTP.
Q: Why do I need to provide an AWS IAM Role, and how is it used?
A: AWS IAM is used to determine the level of access you want to provide your users. This includes what operations you want to enable on their client and which Amazon S3 buckets they have access to – whether it’s the entire bucket or portions of it.
Q: Why do I need to provide home directory information and how is it used?
A: The home directory you set up for your user determines their login directory. As soon as your user logs into the SFTP server, this is the directory path their SFTP client would use as the landing directory. You will need to ensure that the IAM Role supplied provides the user access to the home directory.
Q: I have 100s of users who have similar access settings, but to different portions of my bucket. Can I lock their access to the designated home folder only?
A: Yes. You can use logical directory mappings to specify how you want to make absolute Amazon S3 bucket paths visible to your users. In your identity provider integration’s Lambda function, you will need to specify “Entry” as “/” (specifying root) and “Target” as the absolute S3 bucket location that will be their home directory path. You may or may not need to use a scope down policy, as the mappings will be the only S3 bucket locations accessible to your end users. Visit this blog on how to 'Simplify Your AWS SFTP Structure with Chroot and Logical Directories.'
Data uploads and downloads
Q: How are files stored in my Amazon S3 bucket transferred using AWS SFTP?
A: Files transferred over SFTP are stored as objects in your Amazon S3 bucket, and there is a one-to-one mapping between files and objects enabling native access to these objects using AWS services for processing or analytics.
Q: How are Amazon S3 objects stored in my bucket presented to my users?
A: After successful authentication, based on your users’ credentials, AWS SFTP presents Amazon S3 objects and folders as files and directories to your users’ transfer applications. You can also specify logical directory mappings to customize the way S3 bucket paths are presented to your user.
Q: What file operations are supported by AWS SFTP? What operations are not supported?
A: Common SFTP commands to create, read, update, and delete, files and directories are supported. Files are stored as individual objects in your Amazon S3 bucket. Directories are managed as folder objects in S3, using the same syntax as the S3 console. Directory rename operations, changing ownerships, permissions and timestamps, and use of symbolic links and hard links are currently not supported.
Q: Can I control which operations my users are allowed to perform?
A: Yes, you can enable/disable file operations using the AWS IAM role you have mapped to their username.
Q: Can I provide my SFTP users access to more than one Amazon S3 bucket?
A: Yes. If you include multiple S3 buckets in the IAM policy attached to the AWS IAM Role you assign to your user, they will be able to access it. Additionally, you can present folders from multiple S3 buckets as a single namespace to your users by using Logical Directory Mappings. Refer to this blog for more details.
Q: Can I create a server using AWS Account A and map my SFTP users to Amazon S3 buckets owned by AWS Account B?
A: Yes. You can use the CLI and API to set up cross account access between your server and the buckets you want to use for SFTP. The Console drop down will only list buckets in Account A. Additionally, you’d need to make sure the role being assigned to the user belongs to Account A.
Q: How do I know which SFTP user uploaded a file?
A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging.
Q: Can I automate processing of a file once it has been uploaded to Amazon S3?
A: Yes, you can use Amazon S3 events to automate processing of the uploaded files using a broad array of AWS services for querying, analysis, machine learning, and more. Visit the documentation to learn more on common examples for post upload processing using Lambda with Amazon S3.
Q: Can I view how much data was uploaded and downloaded using my AWS SFTP server?
A: Yes, data uploaded and downloaded using your server is tracked as metrics in Amazon CloudWatch. Visit the documentation to view the available metrics for tracking and monitoring.
Security and compliance
Q: Is my data secure while in-transit?
A: Yes, the underlying security of the SFTP protocol transfers commands and file data through a secure, encrypted tunnel.
Q: What are my options to encrypt data at rest that was transferred using AWS SFTP?
A: You can choose to encrypt files stored your bucket using Amazon S3 Server-Side Encryption (SSE-S3) or Amazon KMS (SSE-KMS).
Q: Which compliance programs does AWS SFTP support?
A: AWS SFTP is PCI-DSS and GDPR compliant, and HIPAA eligible. AWS SFTP is also SOC 1, 2, and 3 compliant. Learn more about services in scope by compliance programs.
Q: Is AWS SFTP FISMA compliant?
A: AWS East/West and GovCloud (US) Regions are compliant. This compliance is demonstrated through FedRAMP Authorization of these two regions to FedRAMP Moderate and FedRAMP High. We demonstrate compliance through annual assessments and documenting compliance with in-scope NIST SP 800-53 controls within our System Security Plans. Templates are available on Artifact along with our customer responsibility matrix (CRM) which demonstrates, at a detailed level, our responsibility to meet these NIST controls as required by FedRAMP. Artifact is available through the management console accessible by an AWS account for both East/West and GovCloud. If you have any further questions on this topic, please consult the Console.
Q: How does the service ensure integrity of uploaded files?
A: All files uploaded through the SFTP server are verified by comparing the file’s pre- and post-upload MD5 checksum.
Q: How can I monitor usage and track my users’ activity?
A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging. Additionally, you can view a record of Amazon S3 API calls made on behalf of your users in AWS CloudTrail.
Q: What am I paying for when I use AWS SFTP?
A: You pay for the resources you use with AWS SFTP. This includes an hourly charge for the SFTP server endpoint, and charges for SFTP data uploads and downloads. The pricing covers a fully managed, highly available SFTP service that auto-scales in real-time based on your workload demands. Please refer to the AWS SFTP pricing page for more details.
Q: How am I billed for my AWS SFTP server?
A: You are billed on an hourly basis from the time you create and configure your SFTP server, which provisions it for your dedicated use, until the time you delete the server. You are also billed based on the amount of data uploaded and downloaded through your SFTP server. Please refer to the AWS SFTP pricing page for more details.
Q: I have stopped my server. Will I be billed for that server while it is stopped?
A: Yes, stopping the server, by using the console, or by running the “stop-server” CLI command or the “StopServer” API command, does not impact billing. You are billed on an hourly basis from the time you create and configure your SFTP server, which provisions it for your dedicated use, until the time you delete the server.
AWS SFTP provides a fully managed service, reducing your operational costs to run file transfer services.
Instantly get access to the AWS Free Tier.
Get started building with AWS SFTP in the AWS Console.