AWS Transfer for SFTP
User Guide

Create an SFTP Server

Following, you can find how to create an SFTP server. When you create a server, you assign that server an identity provider type, either service-managed using SSH keys or custom. The custom method uses Amazon API Gateway and enables you to integrate your directory service to authenticate and authorize your SFTP users. The service automatically assigns an identifier that uniquely identifies your server.

Optionally, you can define a custom hostname. You can do so using the Amazon Route 53 service or by using a Domain Name System (DNS) service of your choice.

You create an SFTP server in a specific AWS Region to perform the file operation requests of SFTP users who are assigned to that server. You can assign hostnames to a server, or use custom hostnames based on DNS redirection.

You can also assign metadata to the server in the form of tags that are key-value pairs. A server hostname must be unique in the AWS Region where it's created. You incur costs for instantiated SFTP servers and for data transfer.

In this procedure, you create the server using the service-managed (SSH keys) method, and keep the hostname blank.

To create your first SFTP server in AWS SFTP

  1. Open the AWS SFTP console at

  2. In the New SFTP server section, choose Create Server as shown following.

  3. You can configure your SFTP server to be accessible over the internet or accessible only in your own virtual private cloud (VPC). In this tutorial, we show you how to make your server accessible over the internet.

    In the Endpoint configuration section, do one of the following:

    • For Endpoint type, choose Public to make your server accessible over the internet. For information about how make your server accessible in your VPC, see Creating an SFTP Server in a Virtual Private Cloud.

    • If you don't want to use a custom domain, choose None for Custom hostname.

      In this case, you get an SFTP server hostname provided by AWS SFTP. The server hostname takes the form

    • If you want to use a custom hostname that you registered, choose either Amazon Route 53 DNS alias or Other DNS.

      Doing this specifies the name resolution method to associate with your SFTP server's endpoint.

      For example, your custom domain might be A custom hostname uses a DNS name that you provide and that a DNS service can resolve. You can use Route 53 as your DNS resolver, or use your own DNS service provider. To learn how AWS SFTP uses Route 53 to route traffic from your custom domain to the SFTP endpoint, see Working with Custom Host Names.

  4. In the Identity provider section, choose Service managed to store user identities and keys in AWS SFTP.

    This exercise uses the service-managed option. If you choose Custom, you provide an API Gateway endpoint and an IAM role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your SFTP users. To learn more about working with custom identity providers, see Working with Identity Providers.

  5. (Optional) For Logging role, choose an IAM role that enables Amazon CloudWatch logging of your SFTP user activity.

    For more information about setting up a CloudWatch logging role, see Monitoring Usage.

  6. (Optional) For Key and Value, enter one or more tags as key-value pairs.

    Choose Add tag to add additional tags to your server.

  7. Choose Create to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new SFTP server changes to Online. At that point, your server can perform file operations for your users.

Next Step

Add a User