AWS Transfer for SFTP
User Guide

How AWS Transfer for SFTP Works

AWS Transfer for SFTP is a fully managed SFTP service hosted in AWS that enables customers to transfer files over SFTP (SSH File Transfer Protocol), into and out of Amazon S3 buckets. You get started by creating an SFTP server and then assigning users to use the server. You create an AWS IAM Role to access your S3 bucket to service your SFTP user's transfer requests.

The workflow to set up the AWS SFTP service involves

  1. Create an S3 bucket, as described in the topic Amazon S3 Requirements.

  2. Create an IAM role containing the policy with permissions to enable the service to access your Amazon S3 bucket.

    This policy will determine what level of access you want to provide your SFTP users. The role should also contain a policy to establish a trust relationship with the service. For more information on policy creation see Creating IAM Policies for AWS SFTP.

  3. Associate your registered domain with the SFTP server.

    You can route SFTP traffic from a domain such as, or from a a subdomain such as to the SFTP server endpoint. See Working with Custom Host Names for more details.

  4. In the AWS Transfer for SFTP console, create an SFTP server and specify the identity provider type used by the service to authenticate your users.

    For more information about identity provider types see Working with Identity Providers

  5. Add a user to the SFTP server. (For Service Managed SFTP servers only.)

  6. Open an SFTP client and configure the connection to use the SFTP endpoint hostname shown in the console for the SFTP server you wish to use.

Any standard SFTP client is supported. Examples of commonly used SFTP clients are:

  • OpenSSH – A Macintosh and Linux command line utility.

  • WinSCP – A Windows-only graphical client.

  • Cyberduck – A Linux, Macintosh, and Microsoft Windows graphical client.

  • FileZilla – A Linux, Macintosh, and Windows graphical client.