Configuring an SFTP, FTPS, or FTP server endpoint - AWS Transfer Family

Configuring an SFTP, FTPS, or FTP server endpoint

This topic provides details for creating and using AWS Transfer Family server endpoints that use one or more of the SFTP, FTPS, and FTP protocols.

Identity provider options

AWS Transfer Family provides several methods for authenticating and managing users. The following table compares the available identity providers that you can use with Transfer Family.

Action AWS Transfer Family service managed AWS Managed Microsoft AD Amazon API Gateway AWS Lambda
Supported protocols SFTP SFTP, FTPS, FTP SFTP, FTPS, FTP SFTP, FTPS, FTP

Key-based authentication

Yes

No

Yes

Yes

Password authentication

No

Yes

Yes

Yes

AWS Identity and Access Management (IAM) and POSIX

Yes

Yes

Yes

Yes

Logical home directory

Yes

Yes

Yes

Yes

Parameterized access (username-based) Yes Yes Yes Yes

Ad hoc access structure

Yes

No

Yes

Yes

AWS WAF

No

No

Yes

No

Notes:

  • IAM is used to control access for Amazon S3 backing storage, and POSIX is used for Amazon EFS.

  • Ad hoc refers to the ability to send the user profile at runtime. For example, you can land users in their home directories by passing the username as a variable.

  • For details about AWS WAF, see Add a web application firewall.

  • There is a blog post that describes using a Lambda function integrated with Microsoft Entra ID (formerly Azure AD) as your Transfer Family identity provider. For details, see Authenticating to AWS Transfer Family with Azure Active Directory and AWS Lambda.

  • We provide several AWS CloudFormation templates to help you quickly deploy a Transfer Family server that uses a custom identity provider. For details, see Lambda function templates.

In the following procedures, you can create an SFTP-enabled server, FTPS-enabled server, FTP-enabled server, or AS2-enabled server.

Next step

AWS Transfer Family endpoint type matrix

When you create a Transfer Family server, you choose the type of endpoint to use. The following table describes characteristics for each type of endpoint.

Endpoint type matrix
Characteristic Public VPC - Internet VPC - Internal VPC_Endpoint (deprecated)
Supported protocols SFTP SFTP, FTPS, AS2 SFTP, FTP, FTPS, AS2 SFTP
Access From over the internet. This endpoint type doesn't require any special configuration in your VPC. Over the internet and from within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN. From within VPC and VPC-connected environments, such as an on-premises data center over AWS Direct Connect or VPN.
Static IP address You can’t attach a static IP address. AWS provides IP addresses that are subject to change.

You can attach Elastic IP addresses to the endpoint. These can be AWS-owned IP addresses or your own IP addresses (Bring your own IP addresses). Elastic IP addresses attached to the endpoint don't change.

Private IP addresses attached to the server also don't change.

Private IP addresses attached to the endpoint don't change. Private IP addresses attached to the endpoint don't change.
Source IP allow list

This endpoint type does not support allow lists by source IP addresses.

The endpoint is publicly accessible and listens for traffic over port 22.

Note

For VPC-hosted endpoints, SFTP Transfer Family servers can operate over port 22 (the default), 2222, 2223, or 22000.

To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.

To allow access by source IP address, you can use security groups attached to the server endpoints and network access control lists (network ACLs) attached to the subnet that the endpoint is in.

To allow access by source IP address, you can use security groups attached to the server endpoints and network ACLs attached to the subnet that the endpoint is in.

Client firewall allow list

You must allow the DNS name of the server.

Because IP addresses are subject to change, avoid using IP addresses for your client firewall allow list.

You can allow the DNS name of the server or the Elastic IP addresses attached to the server.

You can allow the private IP addresses or the DNS name of the endpoints.

You can allow the private IP addresses or the DNS name of the endpoints.

Note

The VPC_ENDPOINT endpoint type is now deprecated and cannot be used to create new servers. Instead of using EndpointType=VPC_ENDPOINT, use the new VPC endpoint type (EndpointType=VPC), which you can use as either Internal or Internet Facing, as described in the preceding table. For details, see Discontinuing the use of VPC_ENDPOINT.

Consider the following options to increase the security posture of your AWS Transfer Family server:

  • Use a VPC endpoint with internal access, so that the server is accessible only to clients within your VPC or VPC-connected environments such as an on-premises data center over AWS Direct Connect or VPN.

  • To allow clients to access the endpoint over the internet and protect your server, use a VPC endpoint with internet-facing access. Then, modify the VPC's security groups to allow traffic only from certain IP addresses that host your users' clients.

  • If you require password-based authentication and you use a custom identity provider with your server, it's a best practice that your password policy prevents users from creating weak passwords and limits the number of failed login attempts.

  • AWS Transfer Family is a managed service, and so it doesn't provide shell access. You cannot directly access the underlying SFTP server to run OS native commands on Transfer Family servers.

  • Use a Network Load Balancer in front of a VPC endpoint with internal access. Change the listener port on the load balancer from port 22 to a different port. This can reduce, but not eliminate, the risk of port scanners and bots probing your server, because port 22 is most commonly used for scanning. For details, see the blog post Network Load Balancers now support Security groups.

    Note

    If you use a Network Load Balancer, the AWS Transfer Family CloudWatch logs show the IP address for the NLB, rather than the actual client IP address.