Tutorial: Getting started with AWS Transfer Family - AWS Transfer Family

Tutorial: Getting started with AWS Transfer Family

Use this tutorial to get started with AWS Transfer Family (Transfer Family). You'll learn how to create an SFTP-enabled server with publicly accessible endpoint using Amazon S3 storage, add a user with service-managed authentication, and transfer a file with Cyberduck.



Before you begin, be sure to complete the requirements in Setting up. As part of this setup, you create an Amazon Simple Storage Service (Amazon S3) bucket and an AWS Identity and Access Management (IAM) user role.

There are permissions required for using the AWS Transfer Family console, and there are permissions required for configuring other AWS services that Transfer Family uses, such as Amazon Simple Storage Service, AWS Certificate Manager, Amazon Elastic File System, and Amazon Route 53. For example, for users that are transferring files into and out of AWS using Transfer Family, AmazonS3FullAccess grants permissions to setup and use an Amazon S3 bucket. Some of the permissions in this policy are needed to create Amazon S3 buckets.

To use the Transfer Family console, you require the following:

  • AWSTransferConsoleFullAccess grants permissions for your SFTP user to create Transfer Family resources.

  • IAMFullAccess (or specifically a policy that allows creation of IAM roles) is only needed if you want Transfer Family to automatically create a logging role for your server in Amazon CloudWatch Logs or a user role for a user logging into a server.

  • To create and delete VPC server types, you need to add the actions ec2:CreateVpcEndpoint and ec2:DeleteVpcEndpoints to your policy.


The AmazonS3FullAccess and IAMFullAccess polices are, themselves, not needed for general usage of AWS Transfer Family. They are presented here as a simple way to make sure that all of the permissions that you need are covered. Additionally, these are AWS managed policies, which are standard policies that are available to all AWS customers. You can view the individual permissions in these policies and determine a minimal set that you need for your purposes.

Step 1: Sign in to the AWS Transfer Family console

To sign in to Transfer Family
  1. Sign in to the AWS Management Console and open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. For Account ID or alias, enter your account ID or alias.

  3. For IAM user name, enter the name of the user role that you created for Transfer Family.

  4. For Password, enter your AWS account password.

  5. Choose Sign in.

Step 2: Create an SFTP-enabled server

Secure Shell (SSH) File Transfer Protocol (SFTP) is a network protocol used for secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH. It is widely used to exchange data, including sensitive information between business partners in a variety of industries such as financial services, healthcare, retail, and advertising.

To create an SFTP-enabled server
  1. Select Servers from the Navigation pane then choose Create server.

  2. In Choose protocols, select SFTP, and then choose Next.

  3. In Choose an identity provider, choose Service managed to store user identities and keys in Transfer Family, and then choose Next.

  4. In Choose an endpoint, do the following:

    1. For Endpoint type, choose the Publicly accessible endpoint type.

    2. For Custom hostname, choose None.

    3. Choose Next.

  5. In Choose a domain, choose Amazon S3.

  6. In Configure additional details, do the following:

    1. For CloudWatch logging, choose Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server. The default security policy is TransferSecurityPolicy-2020-06.

    3. Choose Next.

  7. In Review and create, choose Create server. You are taken to the Servers page.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations, but you'll need to create a user first.

Step 3: Add a service managed user

To add a user to the SFTP-enabled server
  1. On the Servers page, select the check box of the server that you want to add a user to.

  2. Choose Add user.

  3. In the User configuration section, for Username, enter the user name. This user name must be a minimum of 3 and a maximum of 100 characters. You can use the following characters in the user name: a–z, A-Z, 0–9, underscore '_', hyphen '-', period '.', and at sign "@". The user name can't start with a hyphen, period, or at sign.

  4. For Access, choose the IAM role that you previously created that provides access to your Amazon S3 bucket.

    You created this IAM role using the procedure in Create an IAM role and policy. That IAM role includes an IAM policy that provides access to your Amazon S3 bucket. It also includes a trust relationship with the AWS Transfer Family service, defined in another IAM policy.


    The IAM role for the service managed user must contain the permissions to access the desired bucket. Permissions to access the desired bucket are covered within S3FullAccess which grants administrator level permissions to S3 resources.

  5. For Policy, choose None.

  6. For Home directory, choose the Amazon S3 bucket to store the data to transfer using AWS Transfer Family. Enter the path to the home directory where your user lands when they log in using their client.

    If you leave this parameter blank, the root directory of your Amazon S3 bucket is used. In this case, make sure that your IAM role provides access to this root directory.


    We recommend that you choose a directory path that contains the user name of the user, which enables you to effectively use a session policy. The session policy limits user access in the Amazon S3 bucket to that user's home directory.

  7. For Restricted, select the check box so that your users can't access anything outside of that folder and can't see the Amazon S3 bucket or folder name.


    When assigning the user a home directory and restricting the user to that home directory, this should be sufficient enough to lock down the user's access to the designated folder. Use a session policy when you need to apply further controls.

  8. For SSH public key, enter the public SSH key portion of the SSH key pair.

    Your key is validated by the service before you can add your new user.


    The format of the SSH public key is ssh-rsa <string>. For instructions on how to generate an SSH key pair, see Generate SSH keys.

  9. (Optional) For Key and Value, enter one or more tags as key-value pairs, and choose Add tag.

  10. Choose Add to add your new user to the server that you chose.

    The new user appears in the Users section of the Server details page.

Step 4: Transfer a file using a client

You transfer files over the AWS Transfer Family service by specifying the transfer operation in a client. AWS Transfer Family supports several clients. For details, see Transferring files using a client

This section contains procedures for using Cyberduck and OpenSSH.

Use Cyberduck

To transfer files over AWS Transfer Family using Cyberduck
  1. Open the Cyberduck client.

  2. Choose Open Connection.

  3. In the Open Connection dialog box, choose SFTP (SSH File Transfer Protocol).

  4. For Server, enter your server endpoint. The server endpoint is located on the Server details page, see View server details.

  5. For Port number, enter 22 for SFTP.

  6. For Username, enter the name for the user that you created in Managing users.

  7. For SSH Private Key, choose or enter the SSH private key.

  8. Choose Connect.

  9. Perform your file transfer.

    Depending on where your files are, do one of the following:

    • In your local directory (the source), choose the files that you want to transfer, and drag and drop them into the Amazon S3 directory (the target).

    • In the Amazon S3 directory (the source), choose the files that you want to transfer, and drag and drop them into your local directory (the target).

Use OpenSSH

Use the instructions that follow to transfer files from the command line using OpenSSH.


This client works only with an SFTP-enabled server.

To transfer files over AWS Transfer Family using the OpenSSH command line utility
  1. On Linux or Macintosh, open a command terminal.

  2. At the prompt, enter the following command: % sftp -i transfer-key sftp_user@service_endpoint

    In the preceding command, sftp_user is the user name and transfer-key is the SSH private key. Here, service_endpoint is the server's endpoint as shown in the AWS Transfer Family console for the selected server.

    An sftp prompt should appear.

  3. (Optional) To view the user's home directory, enter the following command at the sftp prompt: sftp> pwd

  4. On the next line, enter the following text: sftp> cd /mybucket/home/sftp_user

    In this getting-started exercise, this Amazon S3 bucket is the target of the file transfer.

  5. On the next line, enter the following command: sftp> put filename.txt

    The put command transfers the file into the Amazon S3 bucket.

    A message like the following appears, indicating that the file transfer is in progress, or complete.

    Uploading filename.txt to /my-bucket/home/sftp_user/filename.txt

    some-file.txt 100% 127 0.1KB/s 00:00