AWS Migration & Transfer
Transfer Family
Managed SFTP, FTPS, and FTP service using S3 or EFS as the backend
AWS Transfer Family provides fully managed SFTP, FTPS, and FTP servers that use Amazon S3 or Amazon EFS as the backend storage - eliminating the need to run and maintain your own file transfer infrastructure. It preserves existing SFTP client workflows while gaining S3 durability, S3 event notifications, and IAM-based access control. For cloud engineers, Transfer Family is the standard answer when a legacy partner or compliance requirement demands SFTP access to data that lives in AWS.
Protocols, Backends, and When to Use Each
Transfer Family supports three protocols and two storage backends. Choose based on your security requirements and client constraints.
| Protocol | Port | Encryption | Use Case |
|---|---|---|---|
| SFTP | 22 | SSH transport layer encryption | Most common - use for all new integrations with external partners |
| FTPS | 21 (control), passive range | TLS/SSL encryption, requires certificate | Legacy partners that cannot use SFTP but need encryption |
| FTP | 21 (control), passive range | None - plaintext | Only for private VPC-only internal transfers where network is trusted |
| Backend | Best For | Key Difference |
|---|---|---|
| S3 | Object storage, event-driven workflows, large files | Files stored as S3 objects; S3 events trigger Lambda/SQS on upload |
| EFS | POSIX file system semantics, directory structure, compute access needed | Files stored in EFS; accessible from EC2 and Lambda simultaneously |
FTP (plaintext) is only available in VPC-hosted endpoints and cannot be publicly accessible. Never use FTP over a public endpoint - credentials and data would be transmitted in plaintext over the internet.
User Authentication Options
Transfer Family supports multiple identity providers. The choice affects how users are managed and what integration work is required.
| Identity Provider | How It Works | Best For |
|---|---|---|
| Service-managed | Users and SSH keys stored directly in Transfer Family | Simple setups with a small number of known partners |
| AWS Directory Service | Authenticate against AWS Managed Microsoft AD or AD Connector | Enterprises with existing Active Directory |
| Custom Lambda | Lambda function validates credentials against any identity store (LDAP, database, API) | Complex auth requirements, existing user database |
| AWS IAM Identity Center | SSO-based login for human users | Internal users with existing SSO setup |
# Create a service-managed user with SSH key
aws transfer create-user \
--server-id s-EXAMPLESERVERID \
--user-name sftp-partner-acme \
--role arn:aws:iam::123456789012:role/transfer-user-role \
--home-directory "/my-s3-bucket/partners/acme" \
--home-directory-type PATH \
--ssh-public-key-body "ssh-rsa AAAAB3NzaC1yc2E..."Use logical home directories (home-directory-type LOGICAL) to map a user's root to a specific prefix in S3 or EFS. This prevents users from navigating to other users' prefixes and is the recommended approach for multi-tenant setups.
IAM Role and S3 Access Configuration
Each Transfer Family user assumes an IAM role that defines what S3 actions they can perform. The scope-down policy further restricts access to specific prefixes.
// IAM role trust policy for Transfer Family
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "transfer.amazonaws.com"},
"Action": "sts:AssumeRole"
}]
}
// Scope-down policy (per user) - restricts to their home prefix
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::my-bucket/partners/acme/*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:GetBucketLocation"],
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {"StringLike": {"s3:prefix": ["partners/acme/*", "partners/acme"]}}
}]
}Without a scope-down policy, the user's IAM role grants access to the entire bucket. Always attach a scope-down policy to each user to enforce the principle of least privilege.
Public vs VPC Endpoint Types
Transfer Family servers can be deployed with a public endpoint (accessible over the internet) or a VPC endpoint (accessible only within your VPC or via Direct Connect/VPN).
| Feature | Public Endpoint | VPC Endpoint |
|---|---|---|
| Accessibility | Internet-facing via Elastic IPs | Private - within VPC, Direct Connect, or VPN only |
| Security groups | Not supported | Supported - control inbound IP ranges |
| Static IP | Elastic IPs available (one per AZ) | Private IPs within VPC subnet |
| FTP support | No | Yes |
| IP allowlisting for clients | Not directly (use WAF workaround) | Yes via security groups |
For external partners sending files over the internet, use VPC endpoints with Elastic IPs attached. This gives partners static IPs to whitelist in their firewalls while you can control inbound access via security groups.
Transfer Family Pricing
Transfer Family charges per protocol endpoint per hour plus per GB of data uploaded and downloaded.
| Component | Price (us-east-1) |
|---|---|
| SFTP/FTPS/FTP endpoint | $0.30/protocol/hour (~$216/month per protocol) |
| Data upload (into S3/EFS) | $0.04/GB |
| Data download (out of S3/EFS) | $0.04/GB |
| S3/EFS storage | Standard S3 and EFS pricing applies separately |
The endpoint cost is per protocol. If you enable SFTP, FTPS, and FTP on the same server, you pay for three separate protocols. Enable only the protocols your partners actually use.
Interview Focus Points
- 1What is AWS Transfer Family and why would you use it instead of running your own SFTP server on EC2?
- 2How does Transfer Family integrate with S3 - what happens to a file after a partner uploads it via SFTP?
- 3Explain the difference between service-managed users and custom Lambda identity providers.
- 4How do you restrict an SFTP user to only their own directory in S3?
- 5What is the difference between public and VPC-hosted endpoints in Transfer Family?
- 6How would you trigger a processing Lambda function automatically whenever a partner drops a file via SFTP?
- 7How do you give a user a static IP address for their SFTP server that partners can whitelist?
- 8What are logical home directories and why are they preferred over path-based home directories?