Configuring an SFTP, FTPS, or FTP server endpoint
This topic provides details for creating and using AWS Transfer Family server endpoints that use one or more of the SFTP, FTPS, and FTP protocols.
Topics
Identity provider options
AWS Transfer Family provides several methods for authenticating and managing users. The following table compares the available identity providers that you can use with Transfer Family.
Action | AWS Transfer Family service managed | AWS Managed Microsoft AD | Amazon API Gateway | AWS Lambda |
---|---|---|---|---|
Supported protocols | SFTP | SFTP, FTPS, FTP | SFTP, FTPS, FTP | SFTP, FTPS, FTP |
Key-based authentication |
Yes |
No |
Yes |
Yes |
Password authentication |
No |
Yes |
Yes |
Yes |
AWS Identity and Access Management (IAM) and POSIX |
Yes |
Yes |
Yes |
Yes |
Logical home directory |
Yes |
Yes |
Yes |
Yes |
Parameterized access (username-based) | Yes | Yes | Yes | Yes |
Ad hoc access structure |
Yes |
No |
Yes |
Yes |
AWS WAF |
No |
No |
Yes |
No |
Notes:
IAM is used to control access for Amazon S3 backing storage, and POSIX is used for Amazon EFS.
-
Ad hoc refers to the ability to send the user profile at runtime. For example, you can land users in their home directories by passing the username as a variable.
-
For details about AWS WAF, see Add a web application firewall.
-
There is a blog post that describes using a Lambda function integrated with Microsoft Entra ID (formerly Azure AD) as your Transfer Family identity provider. For details, see Authenticating to AWS Transfer Family with Azure Active Directory and AWS Lambda
. -
We provide several AWS CloudFormation templates to help you quickly deploy a Transfer Family server that uses a custom identity provider. For details, see Lambda function templates.
In the following procedures, you can create an SFTP-enabled server, FTPS-enabled server, FTP-enabled server, or AS2-enabled server.
Next step
AWS Transfer Family endpoint type matrix
When you create a Transfer Family server, you choose the type of endpoint to use. The following table describes characteristics for each type of endpoint.
Characteristic | Public | VPC - Internet | VPC - Internal | VPC_Endpoint (deprecated) |
---|---|---|---|---|
Supported protocols | SFTP | SFTP, FTPS, AS2 | SFTP, FTP, FTPS, AS2 | SFTP |
Access | From over the internet. This endpoint type doesn't require any special configuration in your VPC. | Over the internet and from within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. | From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. | From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. |
Static IP address | You can’t attach a static IP address. AWS provides IP addresses that are subject to change. |
You can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (Bring your own IP addresses). Elastic IP addresses attached to the endpoint don't change. Private IP addresses attached to the server also don't change. |
Private IP addresses attached to the endpoint don't change. | Private IP addresses attached to the endpoint don't change. |
Source IP allow list |
This endpoint type does not support allow lists by source IP addresses. The endpoint is publicly accessible and listens for traffic over port 22. NoteFor VPC-hosted endpoints, SFTP Transfer Family servers can operate over port 22 (the default), 2222, 2223, or 22000. |
To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in. |
To allow access by source IP address, you can use security groups attached to the server endpoints and network access control lists (network ACLs) attached to the subnet that the endpoint is in. |
To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in. |
Client firewall allow list |
You must allow the DNS name of the server. Because IP addresses are subject to change, avoid using IP addresses for your client firewall allow list. |
You can allow the DNS name of the server or the Elastic IP addresses attached to the server. |
You can allow the private IP addresses or the DNS name of the endpoints. |
You can allow the private IP addresses or the DNS name of the endpoints. |
Note
The VPC_ENDPOINT
endpoint type is now deprecated and cannot be used
to create new servers. Instead of using EndpointType=VPC_ENDPOINT
, use
the new VPC endpoint type (EndpointType=VPC
), which you can use as
either Internal or Internet Facing, as
described in the preceding table. For details, see Discontinuing the use of VPC_ENDPOINT.
Consider the following options to increase the security posture of your AWS Transfer Family server:
-
Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.
-
To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.
-
If you require password-based authentication and you use a custom identity provider with your server, it's a best practice that your password policy prevents users from creating weak passwords and limits the number of failed login attempts.
AWS Transfer Family is a managed service, and so it doesn't provide shell access. You cannot directly access the underlying SFTP server to run OS native commands on Transfer Family servers.
-
Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce, but not eliminate, the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. For details, see the blog post Network Load Balancers now support Security groups
. Note
If you use a Network Load Balancer, the AWS Transfer Family CloudWatch logs show the IP address for the NLB, rather than the actual client IP address.