AWS Transfer for SFTP
User Guide

Create an SFTP Server

In this section, you will create an SFTP server using the Service Managed identity provider type. When you create a server, you assign that server an identity provider type: either Service Managed using SSH keys, or a custom. The custom method uses the API Gateway and allows you to integrate your directory service to authenticate and authorize your SFTP users. The service automatically assigns a ServerId identifier to your server. Optionally, you can define a custom hostname using the Amazon Route 53 service, or by using a DNS service of your choice.

You create an SFTP server in a specific AWS Region to execute the file operation requests of SFTP users who are assigned to that server. Servers are uniquely identified by their service assigned server identifier (ServerId). You can assign host names to a server, or use custom (or vanity) host names based on DNS redirection. You can also assign metadata to the server in the form of tags that are key-value pairs. Server host names must be unique in the AWS Region in which they are created. Costs are incurred for instantiated SFTP servers and for data transfer.

In this procedure, you create the server using the Service Managed (SSH keys) method, and leave the hostname blank.

To create your first SFTP server in the AWS SFTP service

  1. Choose Create Server in the New SFTP server section of the first-time login screen as shown following.

  2. Select None for your SFTP server's DNS configuration if you do not plan to use a custom domain. The SFTP server hostname provided by the service takes the form: in this instance.

    If you want to use a custom hostname that have registered, select either Amazon Route 53 DNS alias, or Other DNS.

    This specifies the name resolution method desired to associate with your SFTP server's endpoint. An example of a custom domain would be A custom hostname uses a DNS name that you provide and a DNS service can resolve. You can use Route 53 as your DNS resolver, or use your own DNS service provider. To learn how the service uses Amazon Route 53 so traffic from your custom domain is routed to the SFTP endpoint, see Working with Custom Host Names.

  3. Select Service managed Identity Provider type to store and access user identities and keys within the service.

    If you select Custom, you will need to provide an API Gateway endpoint and an IAM Role to access the endpoint. This allows you to integrate your directory service to authenticate and authorize your SFTP users. To learn more on integrating custom Identity Providers, see Working with Identity Providers.

  4. Choose an AWS Identity and Access Management (IAM) role for Logging role that enables CloudWatch logging of your SFTP user activity, if desired.

    For more information about setting up the Logging Role, see Monitoring Usage.

  5. Optionally, enter one or more tags in the form of key-value pairs in Key and Value.

    Choose Add tag to add additional tags to your server, if desired.

  6. Choose Create to create your server; you are taken to the Servers page shown following where your new server is listed.

    It can take a couple of minutes before your newly created SFTP server status changes to Online and is available to perform file operations for users.