Managing users for server endpoints - AWS Transfer Family

Managing users for server endpoints

In the following sections, you can find information about how to add users using AWS Transfer Family, AWS Directory Service for Microsoft Active Directory or a custom identity provider.

If you use a service-managed identity type, you add users to your file transfer protocol enabled server. When you do so, each username must be unique on your server.

As part of each user's properties, you also store that user's Secure Shell (SSH) public key. Doing so is required for key based authentication, which this procedure uses. The private key is stored locally on your user's computer. When your user sends an authentication request to your server by using a client, your server first confirms that the user has access to the associated SSH private key. The server then successfully authenticates the user.

In addition, you specify a user's home directory, or landing directory, and assign an AWS Identity and Access Management (IAM) role to the user. Optionally, you can provide a session policy to limit user access only to the home directory of your Amazon S3 bucket.


AWS Transfer Family blocks usernames that are 1 or 2 characters long from authenticating to SFTP servers. Additionally, we also block the rootuser name.

The reason behind this is due to the large volume of malicious login attempts by password scanners.

Amazon EFS vs. Amazon S3

Characteristics of each storage option:

  • To limit access: Amazon S3 supports session policies; Amazon EFS supports POSIX user, group, and secondary group IDs

  • Both support public/private keys

  • Both support home directories

  • Both support logical directories


    For Amazon S3, most of the support for logical directories is via API/CLI. You can use the Restricted check box in the console to lock down a user to their home directory, but you cannot specify a virtual directory structure.

Logical directories

If you are specifying logical directory values for your user, the parameter you use depends on the type of user.

  • For service-managed users, provide logical directory values in HomeDirectoryMappings.

  • For custom identity provider users, provide logical directory values in HomeDirectoryDetails.