AWS Storage Services

AWS Transfer Family

4 min read
Updated June 22, 2025
4,360 characters

Supported Protocols and Storage

AWS Transfer Family provides a single service that supports multiple protocols and storage backends. You can enable any or all of the protocols on a single server endpoint.

| Protocol | Description | Supported Storage Backend(s) |

| :--- | :--- | :--- |

| SFTP | SSH File Transfer Protocol (runs over port 22) | Amazon S3, Amazon EFS |

| FTPS | File Transfer Protocol over SSL/TLS (runs over port 21, 990) | Amazon S3, Amazon EFS |

| FTP | File Transfer Protocol (runs over port 21) | Amazon S3, Amazon EFS |

How It Works: Core Components

Setting up the AWS Transfer Family involves configuring three main components: a server endpoint, an identity provider, and a storage backend.

1. The Server Endpoint

This is the entry point that your users connect to with their file transfer clients (like FileZilla, WinSCP, or command-line tools).

  • Configuration: You create a single server and enable your chosen protocols (SFTP, FTPS, FTP).

  • High Availability: The service is highly available by default, running across multiple Availability Zones. It automatically scales capacity based on demand.

  • Custom Hostname: You can use Amazon Route 53 to create a custom, user-friendly hostname (e.g., sftp.yourcompany.com) for your server endpoint.

2. Identity Providers

This is how you manage and authenticate your users. You have three options:

  • Service Managed: The simplest method. You create users and manage their credentials (SSH keys for SFTP, passwords for FTP/FTPS) directly within the AWS Transfer Family service. This is ideal when you don't have an existing identity system to integrate with.

  • AWS Directory Service for Microsoft Active Directory: Integrate with an existing Active Directory, such as AWS Managed Microsoft AD or an on-premises AD connected via AD Connector. This allows your users to authenticate using their corporate AD credentials.

  • Custom Identity Provider: Provides maximum flexibility by allowing you to integrate with your own identity provider (e.g., Okta, Auth0, or a custom user database). You create an API Gateway endpoint that the Transfer Family service calls to authenticate and authorize your users.

3. Storage Backends

This is where the transferred files are stored. You choose one of two options:

  • Amazon S3: When a user uploads a file, it is stored as an object in your designated S3 bucket. This is the best choice for building data lakes, feeding analytics pipelines, and integrating with modern cloud-native applications.

  • Amazon EFS: When a user uploads a file, it is stored in your designated EFS file system. This is ideal for use cases where the data needs to be accessed by many EC2 instances simultaneously or by applications that require a shared, POSIX-compliant file system.

Key Features and Concepts

Managed File Transfer Workflows (MFTW)

  • A fully managed, serverless feature to automate the processing of files uploaded via AWS Transfer Family.

  • You can create workflows with pre-defined steps to perform tasks like copying, tagging, or deleting files.

  • For custom processing, you can invoke an AWS Lambda function to perform tasks like file validation, data transformation, virus scanning, or notifying other systems.

Logical Directories for Amazon S3

  • While Amazon S3 has a flat object structure, this feature allows you to present a traditional folder-based directory structure to your users.

  • You can map user-friendly directory names (e.g., /my-folder) to specific S3 bucket prefixes, controlling the user's home directory and access level in a granular way. This enhances user experience and security.

Security and Monitoring

  • VPC Endpoints: You can host your server's endpoint within a VPC, ensuring that files can only be transferred over a private network (e.g., from your on-premises data center via AWS Direct Connect).

  • Encryption: Enforces encryption of data in transit.

  • IAM Policies: You use standard IAM roles and policies to define the level of access each user has to the underlying S3 bucket or EFS file system.

  • Logging and Monitoring: Integrates with AWS CloudTrail for auditing API calls and Amazon CloudWatch for logging user activity and monitoring server metrics.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All