A Five Minute Overview of AWS Transfer for SFTP

If you would prefer to listen to this article, click this link to hear it using Amazon Polly. It will also be available in iTunes: search for LabR Learning Resources.

What is AWS Transfer for SFTP?

AWS now offers a managed solution for enterprises needing SFTP services. Instead of operating an EC2 instance configured to accept SFTP connections, AWS Transfer for SFTP accepts SFTP transfers and stores the files in an S3 bucket for incoming file transfers, and retrieves files from an S3 bucket for outgoing transfers.

Setting up AWS Transfer for SFTP

Setting up the service is as simple as going to the AWS Console, enabling the service, associating your SFTP hostnames (or using a service provided hostname), configuring the IAM roles, associating an identity provider, creating users and assigning the S3 bucket. With those tasks performed, the service is operational.

Image for post
Image for post
Start the process to create your SFTP server
Image for post
Image for post
Define the service parameters
  • Amazon Route53 DNS Alias, which results in a name created by Route53 and added to the DNS pool.
  • Other DNS, which you should use if you already have a custom domain name managed by DNS somewhere. This would allow you to create a name like sftp.cloud.example.com.
Image for post
Image for post
Define the Logging Role and apply any tags
Image for post
Image for post
Service starts
Image for post
Image for post
Service is Operational

S3 Buckets and IAM Roles

As mentioned, AWS Transfer for SFTP uses an S3 bucket which is specified when a user is created, along with a folder if desired, which forms the user’s home directory.

Users

When creating a user, you specify their username, the Access policy from IAM (the Access section), and if desired the scope-down policy (the Policy section). You also specify the S3 bucket and optional directory which is used to create the user’s home directory.

Image for post
Image for post
User Definition
Image for post
Image for post
Copy the User’s Public Key

Using AWS Transfer for SFTP

To upload or download files using AWS Transfer for SFTP, the user initiates a connection using their favorite SFTP client.

Monitoring AWS Transfer for SFTP

When we created the SFTP server, we had to specify a role for CloudWatch. We can see the file transfer shown in the previous sample by looking in Cloudwatch at the log stream associated for the service.

Image for post
Image for post
CloudWatch Events from the Sample SAFTP transfer

What does it Cost?

Like other AWS services, AWS Transfer is billed for what you use, with the exception of the endpoint. Once configured, whether the service is used in that billing cycle or not, there is a charge for the endpoint and for any S3 storage used. Otherwise, data charges are only incurred if there is data moved into or out of the service.

Conclusion

AWS Transfer for SFTP greatly simplifies the file exchange process for both inter-organizational and intra-organizational file exchange. As files are moved in and out of S3, they are automatically converted between file and S3 objects. The authentication process and data exchange are both secure as they are protected by the SSH protocol.

References

AWS Transfer for SFTP Overview

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store