General

Q: What is AWS Transfer for SFTP?

A: AWS Transfer for SFTP (AWS SFTP) is a fully managed service hosted in AWS that enables transfer of files over SFTP directly in and out of Amazon S3.

Q: What is SFTP and where is it used?

A: SFTP stands for Secure Shell (SSH) File Transfer Protocol, a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH, and is widely used to exchange data between business partners in a variety of industries including financial services, healthcare, retail, and advertising.

Q: Why should I use AWS SFTP?

A: Today, if you are using SFTP to exchange data with third parties such as vendors, business partners, or customers, and want to manage that data in AWS for processing, analytics, and archival, you have to host and manage your own custom SFTP service. This requires you to invest in operating and managing your infrastructure, patching servers, monitoring for uptime and availability, and building one-off mechanisms to provision users and audit their activity. AWS SFTP solves these challenges by providing a fully managed SFTP service that can reduce your operational burden, while preserving your existing transfer workflows for your end users. The service stores transferred files as objects in your Amazon S3 bucket, so you can use them as part of a data lake, processing or archiving workflow.

Q: What are the benefits of using AWS SFTP?

A: AWS SFTP provides you with a fully managed, highly available SFTP service with auto-scaling capabilities, eliminating the need for you to manage SFTP-related infrastructure. With AWS SFTP, your end users’ workflows remain unchanged, while data uploaded and downloaded over SFTP is stored in your Amazon S3 bucket. With the data in Amazon S3, you can now easily use it with the broad array of AWS services for data processing, analytics, machine learning, and archival, in an environment that can meet your compliance requirements.

Q: How do I use AWS SFTP?

A: In 3 simple steps, you can get a persistent and highly available “SFTP server” in AWS. First, you associate your existing SFTP hostname(s) with the SFTP server endpoint. Next, you set up your users by selecting your identity provider for authentication – Service Managed or a directory service like Microsoft AD. Finally, you choose the S3 bucket(s) and assign IAM Roles for access. Once the service endpoint, identity provider, and S3 bucket access policies are enabled, your users can continue to use their existing clients and configurations while the data they access is stored in your S3 bucket.

Q: Can my users use FTP or FTP/S (FTP over SSL) to transfer files using this service?

A: No, your users will need to use SFTP to transfer files. Most file transfer clients offer SFTP as an option that will need to be selected when transferring files using AWS SFTP.

Server endpoint access

Q: Can I continue to use my corporate domain name (sftp.mydomainname.com) as my SFTP endpoint?

A: Yes. If you already have a domain name, you can use Amazon Route53 or any DNS service to route your users’ traffic from your registered domain to the SFTP server endpoint in AWS. Refer to the documentation on How AWS SFTP uses Amazon Route 53 for custom domain names.

Q: Can I still use the service if I don’t have a domain name?

A: Yes, if you don’t have a domain name, your users can access your server endpoint using the hostname provided by AWS SFTP. Alternatively, you can register a new domain using the Amazon Route 53 Console or API and route traffic from this new domain to your SFTP server endpoint.

Q: Can I use my domain that already has a public zone?

A: Yes, you will need to CNAME the domain to the SFTP server hostname.

Q: Will my AWS SFTP server's host key ever change after I create the server?

A: No – if you never stop or delete the server. The server’s host key that is assigned when you create the server remains the same, until you stop and start your server, or create a new one.

Q: Can I set up my SFTP server endpoint to be accessible only within my VPC?

A: Yes. When you create an SFTP server or update an existing one, you have the option to specify whether you want your server endpoint to be accessible over the public internet or within your VPC. Refer to the documentation on Creating your SFTP server endpoint inside your VPC using AWS PrivateLink for details.

Q: Can my SFTP clients use fixed IP addresses to access my SFTP server ‘s VPC endpoint?

A: Yes, you can enable fixed IPs by building on your SFTP server’s VPC endpoint. You can create an Network Load Balancer (NLB) with Elastic IP enabled, within your VPC, and specify your SFTP server’s VPC endpoint as its target. The associated Elastic IPs will give you one or more static IP addresses that will not change. These IPs can be used for firewall whitelisting purposes by your SFTP client users. To learn more about this setup, visit the Network Load Balancer documentation.

Q: Can I filter incoming traffic to access my SFTP server’s VPC endpoint?

A: Yes. Using a VPC endpoint for your SFTP server makes it accessible only to clients within the same VPC, other VPCs you specify, or in on-premises environments using networking technologies that extend your VPC such as AWS Direct Connect, AWS VPN, or VPC peering. You can allow internet traffic access to this endpoint by creating an NLB and specifying its target as your SFTP server’s VPC endpoint. Existing firewalls in your VPC or rules in your subnet’s Network Access Control Lists (NACL) can restrict access by incoming source IP addresses. To learn more on this setup, visit the Network Load Balancer documentation.

Q: Can my SFTP clients use fixed IP addresses to access my public SFTP server endpoint?

A: No. Fixed IP addresses that are usually used for firewall whitelisting purposes are currently not supported on the public endpoint.

Q: What IP ranges would my end users need to whitelist to access my SFTP server’s public endpoint?

A: Your users will need to whitelist the AWS IP address ranges published here. Refer to the documentation for details on staying up to date with AWS IP Address Ranges

 

 

User authentication

Q: Can my users continue to use their existing SFTP clients or transfer applications?

A: Yes, any existing SFTP client or SFTP transfer application will continue to work with AWS SFTP. Examples of commonly used SFTP clients include WinSCP, FileZilla, CyberDuck, and OpenSSH clients.

Q: How does the service authenticate my users?

A: The service supports two modes of authentication, using the service to store and access user identities, and using a custom identity provider.

Service managed authentication

Q: How can I use service managed authentication?

A: You can use key based authentication if you are using the service to store and access user identities.

Q: How many SSH keys can I upload per user?

A: You can upload up to 10 SSH keys per user. Note that adding more keys increases login time as the server will need to evaluate each of them until a match is found for successful authentication.

Q: Is key rotation supported for service managed authentication?

A: Yes. Refer to the documentation for details on how to set up key rotation using the service

Q: Can I use the service managed authentication for password authentication?

A: No, storing passwords within the service for authentication is not currently supported. If you need password authentication, visit our documentation to download templates that support this using an alternative identity provider such as AWS SimpleAD or Secrets Manager.

Q: Are anonymous users supported?

A: No, anonymous users are currently not supported.

Q: Can I import keys from my current SFTP host so my users do not have to re-verify the session information?

A: No, we currently do not support importing existing host keys into the service.

Custom identity provider

Q: Can I leverage my existing identity provider to manage my SFTP users?

A: AWS SFTP allows you to plug-in your existing identity provider so you can easily migrate your users whose credentials are stored in your corporate directory. Examples of identity providers include Microsoft Active Directory (AD), Lightweight Directory Access Protocol (LDAP) or any custom Identity provider.

Q: How do I get started in integrating my existing identity provider for user authentication?

A: To get started, we recommend using the AWS CloudFormation template and provide the necessary information for user authentication and access. Visit the website on custom identity providers to learn more.

Q: When setting up my user what information do I need to provide to enable access?

A: Regardless of the identity provider type, you will need to provide a username, AWS IAM Role, and home directory information. If you are using the service to store and access user identities, you will also need to provide an SSH key.

Q: Why do I need to provide an AWS IAM Role and how is it used?

A: AWS IAM is used to determine the level of access you want to provide your users. This includes what operations you want to enable on their client and which Amazon S3 buckets they have access to – whether it’s the entire bucket or portions of it.

Q: Why do I need to provide home directory information and how is it used?

A: The home directory you set up for your user determines their login directory. As soon as your user logs into the SFTP server, this is the directory path their SFTP client would use as the landing directory. You will need to ensure that the IAM Role supplied provides the user access to the home directory.

Q: I have 100s of users who have similar access settings but to different portions of my bucket. Can I set them up using the same IAM Role and policy to enable their access?

A: Yes, when you want to provide similar access across your users but to different partitions of your Amazon S3 bucket based on their username, you can do so with use fewer IAM Roles and policies. Visit the documentation to learn more on scoping down access through real time evaluation of policy variables.

Data uploads and downloads

Q: How are files stored in my Amazon S3 bucket transferred using AWS SFTP?

A: Files transferred over SFTP are stored as objects in your Amazon S3 bucket, and there is a one-to-one mapping between files and objects enabling native access to these objects using AWS services for processing or analytics.

Q: How are Amazon S3 objects stored in my bucket presented to my users?

A: After successful authentication, based on your users’ credentials, AWS SFTP presents Amazon S3 objects and folders as files and directories to your users’ transfer applications.

Q: What file operations are supported by AWS SFTP? What operations are not supported?

A: Common SFTP commands to create, read, update, and delete, files and directories are supported. Files are stored as individual objects in your Amazon S3 bucket. Directories are managed as folder objects in S3, using the same syntax as the S3 console. Directory rename operations, symbolic links and hard links are currently not supported.

Q: Can I control which operations my users are allowed to perform?

A: Yes, you can enable/disable file operations using the AWS IAM role you have mapped to their username.

Q: Can I provide my SFTP users access to more than one Amazon S3 bucket?

A: Yes. The bucket(s) your user can access is determined by the AWS IAM Role, and the optional scope-down policy you assign for that user. You can only use a single bucket as the home directory for the user.

Q: Can I create a server using AWS Account A and map my SFTP users to Amazon S3 buckets owned by AWS Account B?

A: Yes. You can use the CLI and API to set up cross account access between your server and the buckets you want to use for SFTP. The Console drop down will only list buckets in Account A. Additionally, you’d need to make sure the role being assigned to the user belongs to Account A.

Q: How do I know which SFTP user uploaded a file?
A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging.

Q: Can I automate processing of a file once it has been uploaded to Amazon S3?
A: Yes, you can use Amazon S3 events to automate processing of the uploaded files using a broad array of AWS services for querying, analysis, machine learning and more. Visit the documentation to learn more on common examples for post upload processing using Lambda with Amazon S3.

 

Security and compliance

Q: Is my data secure while in-transit?

A: Yes, the underlying security of the SFTP protocol transfers commands and file data through a secure, encrypted tunnel.

Q: What are my options to encrypt data at rest that was transferred using AWS SFTP?

A: You can choose to encrypt files stored your bucket using Amazon S3 Server-Side Encryption (SSE-S3) or Amazon KMS (SSE-KMS).

Q: Which compliance programs does AWS SFTP support?

A: AWS SFTP is PCI-DSS and GDPR compliant, and HIPAA eligible.

Q: How does the service ensure integrity of uploaded files?

A: All files uploaded through the SFTP server are verified by comparing the file’s pre- and post-upload MD5 checksum.

Q: How can I monitor usage and track my users’ activity?

A: You can use Amazon CloudWatch to view your SFTP users’ activity. Visit the documentation to learn more on how to enable Amazon CloudWatch logging.

 

Billing

Q: What am I paying for when I use AWS SFTP?

A: You pay for the resources you use with AWS SFTP. This includes an hourly charge for the SFTP server endpoint, and charges for SFTP data uploads and downloads. The pricing covers a fully managed, highly available SFTP service that auto-scales in real-time based on your workload demands. Please refer to the AWS SFTP pricing page for more details.

Q: How am I billed for my AWS SFTP server?

A: You are billed on an hourly basis from the time you create and configure your SFTP server, which provisions it for your dedicated use, until the time you delete the server. You are also billed based on the amount of data uploaded and downloaded through your SFTP server. Please refer to the AWS SFTP pricing page for more details.

Q: I have stopped my server. Will I be billed for that server while it is stopped?

A: Yes, stopping the server, by using the console, or by running the “stop-server” CLI command or the “StopServer” API command, does not impact billing. You are billed on an hourly basis from the time you create and configure your SFTP server, which provisions it for your dedicated use, until the time you delete the server.

Product-Page_Standard-Icons_01_Product-Features_SqInk
Learn more about pricing

AWS SFTP provides a fully managed service, reducing your operational costs to run file transfer services.

Learn more 
Product-Page_Standard-Icons_02_Sign-Up_SqInk
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Product-Page_Standard-Icons_03_Start-Building_SqInk
Start building in the console

Get started building with AWS SFTP in the AWS Console.

Sign in