Deep Dive into AWS Transfer Family 

What is AWS Transfer Family?

AWS Transfer Family is a managed Secure File Transfer Protocol (SFTP) service provided by AWS. It delivers the full functionality of a traditional SFTP server while relieving administrators of the burden of operational management. When Transfer Family was first launched, it was a basic managed service offering only SFTP capabilities. However, AWS has recently introduced a range of powerful new features that significantly enhance its capabilities. In this blog, we’ll explore the service’s features and use cases in detail.

AWS Transfer Family Features

In this blog, let’s cover the below listed AWS Transfer Family features in detail.

• Public vs Private
• Protocols
• Storage
• Identity Providers
• Workflow
• SFTP Connector
• WebApp
• Observability
• Security

Public vs Private

There are a few deployment options for setting up AWS Transfer Family:

• Publicly Hosted: The Transfer Family instance is hosted in an AWS-owned VPC, and its endpoint is publicly accessible. However, administrators have limited control over access restrictions at the network level.
• VPC Hosted: In this configuration, the Transfer Family’s network interface is placed directly into the customer’s VPC. This gives administrators greater control over network settings such as IP address ranges, subnets, route tables, NACLs, security groups, and internet gateways. VPC Hosted deployments have two subtypes:
  • Internet-facing: The service is accessible over the internet, but access can be restricted to specific IP addresses.
  • Internal: The service is not accessible from the internet and is only reachable by resources within the VPC.
    

The choice between a publicly hosted or VPC-hosted setup depends on the specific use case and data access requirements.

Protocols

AWS Transfer Family supports multiple file transfer protocols, and you can enable one or more protocols for each Transfer Family instance. The supported protocols include:

• SFTP (Secure Shell File Transfer Protocol): Enables file transfers over SSH using standard SFTP commands. It ensures secure, encrypted communication during transfer.
• AS2 (Applicability Statement 2): A specialised protocol used for transferring structured business-to-business data. Commonly adopted in industries like retail, logistics and healthcare, AS2 ensures secure file transmission using encryption, digital signatures and signed receipts. Public certificates are exchanged between AS2 servers, along with AS2 URLs, to enable file transfers and receive confirmation receipts.
• FTP (File Transfer Protocol): A traditional protocol for file transfers, but it transmits data in plaintext, offering no encryption during transit.
• FTPS (FTP Secure): Enhances FTP by adding TLS encryption. Files are securely transmitted using TLS certificates to protect data during transfer.

Storage

AWS Transfer Family supports backend storages like EFS & S3. IAM is used to control access for Amazon S3 backing storage, and POSIX is used for Amazon EFS.

Identity Providers

AWS Transfer Family supports a variety of identity providers, which are categorised as follows:

• Self-Managed: Usernames and their corresponding public SSH keys are stored directly within AWS Transfer Family. External systems authenticate by using the associated private key. Each user is linked to an IAM role that defines their access permissions and a default landing directory.
• AWS Managed Directory: While Simple AD is not supported, AWS Transfer Family can authenticate users via AWS Directory Service for Microsoft Active Directory. Using AWS Managed Microsoft AD, you can securely grant SFTP, FTPS and FTP access to users and groups for data stored in Amazon S3 or Amazon EFS.
• Custom Identity Providers: You can integrate AWS Transfer Family with external identity providers using AWS Lambda or Amazon API Gateway. This includes third-party systems like Entra ID or AWS services such as Secrets Manager or Cognito (typically with DynamoDB to manage user entitlements).

Below are some architectural examples demonstrating how different identity providers can be used to store and manage user credentials for authentication.

Example of custom Identity Provider using lambda:

Example of custom Identity Provider using API Gateway & AWS Secrets Manger:

Example of custom Identity Provider using Entra ID:

Workflow

In AWS Transfer Family, a workflow enables you to perform a series of actions in a defined sequence. These actions can include operations such as copy, tag, delete, decrypt, or any custom file processing using AWS Lambda. Workflows also support exception handling – if the main (nominal) workflow fails, an exception workflow can be triggered to handle errors gracefully.

You can attach a workflow to a Transfer Family server, ensuring that all inbound files are automatically processed through the configured workflow. For example, you can set up a workflow to decrypt PGP-encrypted files received from a source system and then store the decrypted files in a specified destination directory.

SFTP Connectors

AWS Transfer Family natively provides a managed SFTP service that allows external systems to securely push or pull files after proper authentication and authorization. With the introduction of AWS Transfer Family SFTP Connectors, the service now also supports Managed File Transfers (MFT) by enabling Transfer Family to initiate connections to external SFTP servers to push or pull data.

Managed File Transfer (MFT) offers a secure, reliable, and automated method for transferring data between systems, both within and outside an organisation.

Web Apps

AWS Transfer Family WebApps is a significant step toward eliminating the need for third-party tools such as FileZilla, CyberDuck, or WinSCP for uploading and downloading files to an SFTP server. It also serves as a replacement for tools like S3 Browser or BucketAnywhere, providing a seamless interface for transferring files to and from Amazon S3.

Instead, WebApps offers a fully managed, browser-based UI integrated with AWS Transfer Family. It allows users to upload, move, delete, or download files based on their access permissions. WebApps can also be integrated with IAM Identity Center, simplifying user management and access control.

Observability

Since AWS Transfer Family is a fully managed service, scaling, both up and down, is automatically handled by AWS. This eliminates the need for administrators to monitor CPU or memory usage or configure custom autoscaling policies.

Also, like most AWS services, AWS Transfer Family and its components can be integrated with Amazon CloudWatch for detailed logging, monitoring and alerting. The service also provides built-in dashboards to track metrics such as the number and volume of files transferred in and out.

Security

All components of AWS Transfer Family, including storage, workflows, user accounts, SFTP connectors and WebApps, require IAM roles for operation. By following the principle of least privilege, you can minimise the blast radius and enhance security. The IAM roles provide temporary credentials to access other AWS resources, adding an additional layer of protection.

AWS Transfer Family also integrates with:

• AWS Secrets Manager for securely storing sensitive credentials.
• AWS WAF to safeguard against web-based attacks.
• Amazon CloudWatch and AWS CloudTrail for monitoring, logging and auditing.
• AWS Key Management Service (KMS) for encryption at rest, and TLS certificates for encryption in transit.

Where does it fit?

In large enterprises, it’s common to use highly provisioned staging servers as intermediaries for file transfers, either between internal systems, external systems or partner networks. These are typically categorised as:

• Internal Staging Servers – for transfers within the organisation
• External Staging Servers – for communication with external systems
• Partner Staging Servers – for exchanging data with business partners

These servers often require high-spec configurations to handle large volumes of parallel file transfers. They must also be regularly patched, monitored, and maintained to meet security and compliance standards like PCI, including frequent credential rotation.

AWS Transfer Family can serve as a modern, fully managed alternative to these staging servers. It eliminates the need for manual patching and reboots, supports infrastructure-as-code for maintainability and separates credential storage from the file transfer environment, enhancing security and simplifying operations.

How to migrate from existing SFTP servers to AWS Transfer Family?

It’s simple and the process is straightforward:

1. Provision a new AWS Transfer Family service.
2. Migrate users in batches from the existing staging servers with their landing directories.
3. Use infrastructure-as-code to create all necessary services and user credentials, ensuring that everything is managed consistently.
4. If required, set up automatic credential rotation policies and corresponding notifications using AWS Lambda to meet strict security and compliance requirements.

This approach ensures that security standards are maintained while simplifying user management and operational overhead.

Conclusion

In conclusion, AWS Transfer Family can:

• Replace existing complex, expensive SFTP servers & MFT batch workflows with a simple pay-as-you-go model managed service.
• Be deployed and managed using code and thus reducing operational overhead.
• Automate server & MFT management activities and thus allowing teams to focus on what matters to end users.

Reach out to Cevo if you want to validate the technical feasibility using POC or swiftly deploy a production grade AWS Transfer Family solution to replace your existing SFTP servers.