Q: What is AWS Transfer for SFTP?

A: AWS Transfer for SFTP (AWS SFTP), a fully managed service hosted in AWS that enables transfer of files over SFTP directly in and out of Amazon S3.

Q: What is SFTP and where is it used?

A: SFTP stands for Secure Shell File Transfer Protocol, a network protocol used for secure transfer of data over the internet. The protocol supports full security and authentication functionality of SSH, and is widely used in exchange of data between business partners in a variety of industries including financial services, healthcare, retail, and advertising.

Q: Why should I use AWS SFTP?

A: Today, if you are using SFTP to exchange data with third-party users such as your vendors or business partners and want to manage this data in AWS for processing, analytics, and archival, you have to host and manage your own custom SFTP services on premises or in the cloud. This requires you to invest in operating and managing your infrastructure, monitoring for uptime and availability, and building one-off mechanisms to provision users and audit their activity. AWS Transfer solves these challenges by providing a fully managed service in AWS that enables you to move data transferred over SFTP into AWS, while preserving your existing transfer workflows for all your end-users.

Q: What are the benefits of using AWS SFTP?

A: AWS SFTP provides you with a fully-managed, highly available SFTP service with inbuilt scaling capabilities, eliminating the need for you to manage SFTP related infrastructure. With AWS Transfer, your end users’ workflows remain unchanged, while data uploaded and downloaded over SFTP is stored in your Amazon S3 bucket. With the data in Amazon S3, you can now easily integrate it into workloads that use a broad array of AWS services available to you for data processing analytics and machine learning, or store and archive durably to meet your compliance requirements.

Q: How do I use AWS SFTP?

A: In 3 simple steps, you can get a persistent and highly available “SFTP server” in AWS. First, you associate your existing SFTP hostname(s) with the SFTP server endpoint. Next, you set up your users by selecting your identity provider for authentication – Service Managed or a directory service like Microsoft AD. Finally, you choose the S3 bucket(s) and assign IAM Roles for access. Once the service endpoint, identity provider, and S3 bucket access policies are enabled, your users can continue to use their existing clients and configurations while the data they access is stored in your S3 bucket.

Q: Can my users use FTP or FTP/S (FTP over SSL) to transfer files using this service?

A: No, your users will need to use SFTP to transfer files. Most file transfer clients offer SFTP as an option that will need to be selected when transferring files using AWS SFTP.

Server endpoint access

Q: Can I continue to use my corporate domain name ( as my SFTP endpoint?

A: Yes. If you already have a domain name, you can use Amazon Route53 or any DNS service to route your users’ traffic from your registered domain to the SFTP server endpoint in AWS.

Q: Can I still use the service if I don’t have a domain name?

A: Yes, if you don’t have a domain name, your users can access your server endpoint using the hostname provided by AWS SFTP. Alternatively, you can register a new domain using the Amazon Route 53 Console or API and route traffic from this new domain to your SFTP server endpoint.

Q: Can I use my domain that already has a public zone?

A: Yes, you will need to CNAME the domain to the SFTP server hostname.

Q: Can I use fixed IP addresses to access the SFTP server endpoint?

A: No. Fixed IP addresses that are usually used for firewall whitelisting purposes are currently not supported.


User authentication

Q: Can my users continue to use their existing SFTP clients or transfer applications?

A: Yes, any existing SFTP client or SFTP transfer application will continue to work with AWS SFTP. Examples of commonly used SFTP clients include WinSCP, FileZilla, CyberDuck, and OpenSSH clients.

Q: How does the service authenticate my users?
A: The service supports two modes of authentication, using the service to store and access user identities, and using a custom identity provider.

Service managed authentication

Q: How can I use service managed authentication?

A: You can use key based authentication If you are using the service to store and access user identities.

Q: How many SSH keys can I upload per user?

A: You can upload up to 10 SSH keys per user. Note that adding more keys increases login time as the server will need to evaluate each of them until a match is found for successful authentication.

Q: Is key rotation supported for service managed authentication?

A: Yes. Refer to the documentation for details on how to set up key rotation using the service

Q: Can I use the service managed authentication for password authentication?

A: No, storing passwords within the service for authentication is not currently supported. If you need password authentication, visit our documentation to download templates that support this using an alternative identity provider such as AWS SimpleAD or Secrets Manager.

Q: Are anonymous users supported?

A: No, anonymous users are currently not supported.

Q: Can I import keys from my current SFTP host so my users do not have to re-verify the session information?

A: No, we currently do not support importing existing host keys into the service.

Custom identity provider

Q: Can I leverage my existing identity provider to manage my SFTP users?

A: AWS SFTP allows you to plug-in your existing identity provider so you can easily migrate your users whose credentials are stored in your corporate directory. Examples of identity providers include Microsoft Active Directory (AD), Lightweight Directory Access Protocol (LDAP) or any custom Identity provider.

Q: How do I get started in integrating my existing identity provider for user authentication?

A: To get started, we recommend using the AWS CloudFormation template and provide the necessary information for user authentication and access. Visit the website on custom identity providers to learn more.

Q: When setting up my user what information do I need to provide to enable access?

A: Regardless of the identity provider type, you will need to provide a username, AWS IAM Role, and home directory information. If you are using the service to store and access user identities, you will also need to provide an SSH key.

Q: Why do I need to provide an AWS IAM Role and how is it used?

A: AWS IAM is used to determine the level of access you want to provide your users. This includes what operations you want to enable on their client and which Amazon S3 buckets they have access to – whether it’s the entire bucket or portions of it.

Q: Why do I need to provide home directory information and how is it used?

A: The home directory you set up for your user determines their login directory. As soon as your user logs into the SFTP server, this is the directory path their SFTP client would use as the landing directory.  You will need to ensure that the IAM Role supplied provides the user access to the home directory.

Q: I have 100s of users who have similar access settings but to different portions of my bucket. Can I set them up using the same IAM Role and policy to enable their access?

A: Yes, when you want to provide similar access across your users but to different partitions of your Amazon S3 bucket based on their username, you can do so with use fewer IAM Roles and policies. Visit the documentation to learn more on scoping down access through real time evaluation of policy variables.

Data uploads and downloads

Q: How are files stored in my Amazon S3 bucket transferred using AWS SFTP?

A: Files transferred over SFTP are stored as objects in your Amazon S3 bucket and there is a one-to-one mapping between files and objects enabling native access to these objects using AWS services for processing or analytics.

Q: How are Amazon S3 objects stored in my bucket presented to my users?

A: After successful authentication, based on your users’ credentials, AWS SFTP presents Amazon S3 objects and folders as files and directories to your users’ transfer applications.

Q: What file operations are supported by AWS SFTP? What operations are not supported?

A: Common SFTP commands to create, read, update, and delete, files and directories are supported. Files are stored as individual objects in your Amazon S3 bucket. Directories are managed as folder objects in S3, using the same syntax as the S3 console. Symbolic links and hard links are currently not supported.

Q: Can I control which operations my users are allowed to perform?

A: Yes, you can enable/disable file operations using the AWS IAM role you have mapped to their username.

Q: How do I know which SFTP user uploaded a file?
A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging.

Q: Can I automate processing of a file once it has been uploaded to Amazon S3?
A: Yes, you can use Amazon S3 events to automate processing of the uploaded files using a broad array of AWS services for querying, analysis, machine learning and more. Visit the documentation to learn more on common examples for post upload processing using Lambda with Amazon S3.



Security and compliance

Q: Is my data secure while in-transit?

A: Yes, the underlying security of the SFTP protocol transfers commands and file data through a secure, encrypted tunnel.

Q: What are my options to encrypt data transferred using this service at rest?

A: You can choose to encrypt files stored your bucket and used to transfer  using Amazon S3 Server-Side Encryption (SSE-S3) or use Amazon KMS (SSE-KMS).

Q: Which compliance programs does AWS SFTP support?

A: AWS SFTP is PCI-DSS and GDPR compliant, and HIPAA eligible.

Q: How does the service ensure integrity of uploaded files?

A: All files uploaded through the SFTP server are verified by comparing the file’s pre- and post-upload MD5 checksum.

Q: How can I monitor usage and track my users’ activity?

A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging.



Q: How much does it cost to use AWS SFTP?

A: You pay for the resources you use with AWS SFTP. This includes the SFTP server endpoint and SFTP data uploads and downloads. Refer to the pricing page for more details.

Q: How am I billed for my server endpoint?

A: When you create a server, you get a fully managed, highly available SFTP endpoint in AWS. You are billed from the time of server creation to the time you delete your server.

Learn more about pricing

AWS SFTP provides a fully managed service, reducing your operational costs to run file transfer services.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with AWS SFTP in the AWS Console.

Sign in