AWS Transfer for SFTP
User Guide

How AWS Transfer for SFTP Works

AWS Transfer for SFTP (AWS SFTP) is a fully managed AWS service that enables you to transfer files over Secure File Transfer Protocol (SFTP), into and out of Amazon S3 buckets. SFTP is also known as Secure Shell (SSH) File Transfer Protocol.

You get started with AWS SFTP by creating an SFTP server and then assigning users to use the server. To service your SFTP users' transfer requests, you create an IAM role to access your S3 bucket.

To use AWS SFTP, you take the following high-level steps:

  1. Create an Amazon S3 bucket, as described in Amazon S3 Bucket Requirements.

  2. Create an IAM role that contains two IAM policies:

    • An IAM policy that includes the permissions to enable AWS SFTP to access your S3 bucket. This IAM policy determines what level of access you provide your SFTP users.

    • An IAM policy to establish a trust relationship with AWS SFTP.

    For more information on IAM policy creation, see Using an IAM Policy to Control Access to AWS SFTP.

  3. (Optional) If you have your own registered domain, associate your registered domain with the SFTP server.

    You can route SFTP traffic to your SFTP server endpoint from a domain, such as, or from a subdomain, such as For more information, see Working with Custom Host Names.

  4. Create an SFTP server and specify the identity provider type used by the service to authenticate your users.

    For more information about identity provider types, see Working with Identity Providers.

  5. If you are working with an SFTP server with a service-managed identity provider, as opposed to a custom identity provider, add one or more users.

  6. Open an SFTP client and configure the connection to use the SFTP endpoint host name for the SFTP server that you want to use. You can get this host name from the AWS SFTP Management Console.

AWS SFTP supports any standard SFTP client. Some commonly used SFTP clients are the following:

  • OpenSSH – A Macintosh and Linux command line utility.

  • WinSCP – A Windows-only graphical client.

  • Cyberduck – A Linux, Macintosh, and Microsoft Windows graphical client.

  • FileZilla – A Linux, Macintosh, and Windows graphical client.