Last updated on June 23, 2023
AWS Transfer Family Cheat Sheet
- AWS Transfer Family is a secure transfer service for moving files into and out of AWS storage services, such as Amazon S3 and Amazon EFS.
- With Transfer Family, you do not need to run or maintain any server infrastructure of your own.
- You can provision a Transfer Family server with multiple protocols (SFTP, FTPS, FTP).
Benefits
- Fully managed service and scales in real time.
- You don’t need to modify your applications or run any file transfer protocol infrastructure.
- Supports up to 3 Availability Zones and is backed by an auto scaling, redundant fleet for your connection and transfer requests.
- Integration with S3 and EFS lets you capitalize on their features and functionalities as well.
- Managed File Transfer Workflows (MFTW) is a fully managed, serverless File Transfer Workflow service to set up, run, automate, and monitor processing of files uploaded using Transfer Family.
- Server endpoint types:
- Publicly accessible
- Can be changed to a VPC hosted endpoint. Server must be stopped before making the change.
- VPC hosted
- Can be optionally set as Internet Facing. Take note that only SFTP and FTPS are supported for the VPC hosted endpoint.
- Publicly accessible
- Custom Hostnames
- Your server host name is the hostname that your users enter in their clients when they connect to your server. You can use a custom domain for this. To redirect traffic from your registered custom domain to your server endpoint, you can use Amazon Route 53 or any DNS provider.
How to delegate access
- You first associate your hostname with the server endpoint, then add your users and provision them with the right level of access. A server hostname must be unique in the AWS Region where it’s created.
- Your users’ transfer requests are then serviced directly out of your Transfer Family server endpoint.
- If you have multiple protocols enabled for the same server endpoint and want to provide access using the same user name over multiple protocols, you can do so as long as the credentials specific to the protocol have been set up in your identity provider.
Managing Users
- Supported identity provider types:
- Service managed using SSH keys
- AWS Managed Microsoft AD (does not support Simple AD)
- A custom method via a RESTful interface. The custom identity provider method uses Amazon API Gateway and enables you to integrate your directory service to authenticate and authorize your users. The service automatically assigns an identifier that uniquely identifies your server.
- For service managed identities, each user name must be unique on your server.
- You also specify a user’s home directory, or landing directory, and assign an AWS IAM role to the user.
- Optionally, you can provide a session policy to limit user access only to the home directory of your Amazon S3 bucket.
- The home directory is your S3 bucket or EFS filesystem. If no path is specified, your users are redirected to the root folder.
- Amazon S3 vs Amazon EFS access management
Amazon S3 |
Amazon EFS |
Supports session policies |
Supports POSIX user, group, and secondary group IDs |
Both support public/private keys, home directories and logical directories |
- Logical directories lets you construct a virtual directory structure that uses user-friendly names so that you can avoid disclosing absolute directory paths, Amazon S3 bucket names, and EFS file system names to your end users.
AWS Transfer Family Pricing
- You are billed on an hourly basis for each of the protocols enabled, from the time you create and configure your server endpoint, until the time you delete it.
- You are also billed based on the amount of data uploaded and downloaded over SFTP, FTPS, or FTP.
- There is no additional charge for using managed workflows.
AWS Transfer for SFTP |
AWS Transfer for FTPS |
AWS Transfer for FTP |
|
|
|
AWS Transfer Family Cheat Sheet References:
https://docs.aws.amazon.com/transfer/latest/userguide/what-is-aws-transfer-family.html
https://aws.amazon.com/aws-transfer-family/faqs/