This chapter covers AWS Transfer Family, a managed service that enables secure file transfers over SFTP, FTP, and FTPS directly into and out of Amazon S3 (or EFS). For the SAA-C03 exam, you need to understand when to use Transfer Family vs. alternatives like AWS Storage Gateway or direct S3 APIs, how to configure endpoints for security and high availability, and how authentication and logging work. Approximately 2-3% of exam questions may touch on Transfer Family, often in the context of hybrid storage or data migration scenarios.
Jump to a section
Think of AWS Transfer Family as a secure, managed loading dock for your AWS warehouse. Your trading partners (suppliers, customers) have their own delivery trucks that speak different languages—some use SFTP, some FTP, some FTPS. Instead of requiring them to learn your internal warehouse logistics (S3 APIs, IAM roles), you build a Transfer Family endpoint—a loading dock that speaks all those protocols. When a partner arrives, they authenticate using their own credentials (SSH keys, passwords, or Microsoft AD). The loading dock then translates their delivery request into AWS-native calls (S3 PUT/GET) and handles the heavy lifting: scaling the dock for peak hours, logging every package, and enforcing security policies. If a partner tries to upload a file larger than allowed, the dock rejects it. If the dock is idle for a while, it can automatically shut down (for managed endpoints) to save costs. From the partner's perspective, they're just using a standard FTP client; from your perspective, files land directly in S3 with full audit trails.
What is AWS Transfer Family and Why Does It Exist?
AWS Transfer Family is a fully managed service that provides support for transferring files over SFTP (SSH File Transfer Protocol), FTP (File Transfer Protocol), and FTPS (FTP over SSL/TLS). Its primary purpose is to allow external partners, legacy systems, or on-premises applications to transfer files to and from AWS storage (S3 or EFS) using standard file transfer protocols they already use, without requiring them to adopt AWS-specific APIs or SDKs.
Many enterprises have existing business processes that rely on SFTP/FTP for data exchange with trading partners, supply chain systems, or internal tools. Rewriting these to use S3 APIs is costly and disruptive. Transfer Family bridges the gap by exposing an S3 bucket (or EFS file system) as a traditional file server endpoint. The service handles the protocol translation, authentication, and scaling, while the actual data is stored natively in S3 or EFS.
How It Works Internally
Transfer Family operates by deploying one or more endpoints in your AWS account. Each endpoint is a network interface in a VPC (or internet-facing) that listens for incoming connections on the chosen protocol(s). When a client connects:
1. Authentication: The endpoint authenticates the user. Transfer Family supports three identity providers: - Service-managed: You create users directly within Transfer Family, storing SSH public keys or passwords. This is simple but limited to 500 users per server. - AWS Directory Service: You integrate with Microsoft Active Directory for existing corporate credentials. - Custom identity provider: You provide an HTTP-based API that Transfer Family calls to authenticate users and return their home directory (S3 bucket prefix or EFS path). This allows integration with any identity store (e.g., Okta, LDAP).
Authorization and Routing: Once authenticated, the user is mapped to a specific home directory in S3 (using an IAM role) or EFS. The IAM role defines the permissions for that user (read/write, list, etc.). The user's home directory is a prefix within a bucket (e.g., s3://my-bucket/user1/).
Protocol Handling: The endpoint speaks the negotiated protocol (SFTP, FTP, or FTPS) and translates each file operation into the corresponding S3 API call. For example, an SFTP PUT becomes a PutObject call. The endpoint handles chunking, retries, and checksums transparently.
Logging and Monitoring: All file transfers are logged to Amazon CloudWatch Logs (if enabled). You can also enable AWS CloudTrail to log management events (creating users, modifying endpoints). Metrics like BytesIn, BytesOut, and ActiveUsers are available in CloudWatch.
Key Components, Values, Defaults, and Timers
Server: A Transfer Family server is the logical entity that accepts connections. Each server has an endpoint (one or more) and a set of users. You can create up to 10 servers per account (soft limit).
Endpoint Types: - Public: Accessible from the internet. The endpoint gets a public DNS name and optional Elastic IP addresses. Use for external partners. - VPC: Accessible only within your VPC via a private IP. Use for internal transfers (e.g., from on-premises via Direct Connect or VPN). - VPC with internal DNS: Same as VPC but uses a custom DNS name resolved via Route 53 Resolver.
Protocols: You can enable one or more of SFTP, FTP, FTPS on a single server. Each protocol has its own port:
SFTP: port 22
FTP: port 21 (control), 1024-65535 (data – passive mode)
FTPS: port 990 (implicit FTPS) or port 21 with AUTH TLS (explicit FTPS)
Security Policies: Transfer Family allows you to specify a security policy that defines the allowed ciphers, key exchange algorithms, and MACs for SFTP/FTPS. You can choose from predefined policies (e.g., TransferSecurityPolicy-2020-06) or create a custom one.
Idle Timeout: The default idle timeout for a connection is 120 seconds. If no data is transferred within that time, the connection is closed.
File Size Limits: You can set a MaxFileSize for uploads (in bytes). The default is 0 (no limit).
VPC Endpoint Configuration: For VPC endpoints, you must specify the VPC, subnets (at least two for high availability), and security groups. The endpoint gets an Elastic Network Interface (ENI) in each subnet.
CloudWatch Logging: You can enable logging to a CloudWatch log group. By default, logging is disabled.
Configuration and Verification Commands
To create a server using AWS CLI:
aws transfer create-server \
--endpoint-type VPC \
--identity-provider-type SERVICE_MANAGED \
--logging-role arn:aws:iam::123456789012:role/TransferLoggingRole \
--protocols SFTPTo add a user (service-managed):
aws transfer create-user \
--server-id s-01234567890abcdef \
--user-name alice \
--role arn:aws:iam::123456789012:role/TransferUserRole \
--home-directory /my-bucket/alice-home \
--ssh-public-key-body "ssh-rsa AAAAB3..."To test connectivity (from a client):
sftp -i private-key.pem alice@s-01234567890abcdef.server.transfer.us-east-1.amazonaws.comHow It Interacts with Related Technologies
Amazon S3: The primary storage backend. Files are stored as S3 objects. You can enable S3 features like versioning, encryption (SSE-S3, SSE-KMS), and lifecycle policies.
Amazon EFS: Alternative storage backend for file-level access. Useful when you need file locking or POSIX permissions.
AWS IAM: Used for authorization. Each user is assigned an IAM role that defines their S3/EFS permissions. The role is assumed by the service on behalf of the user.
AWS Directory Service: Integrates with Microsoft AD for authentication.
AWS CloudWatch: Logs and metrics for monitoring transfers.
AWS CloudTrail: Audits API calls made to Transfer Family (e.g., create server, delete user).
Amazon Route 53: For custom DNS names on VPC endpoints.
AWS WAF: Can be associated with a public endpoint to filter malicious traffic (though not commonly tested).
Pricing Model
Transfer Family charges based on: - Provisioned endpoints: Per endpoint per hour (e.g., ~$0.30/hour for a public SFTP endpoint; varies by region). - Data transferred: Per GB uploaded/downloaded through the endpoint (e.g., ~$0.04/GB). - Additional features: Elastic IP addresses (standard EC2 charges), CloudWatch logs (standard charges).
There is no charge for the number of users or servers (only endpoints).
High Availability and Scaling
Transfer Family endpoints are highly available within a single region. For VPC endpoints, you must deploy at least two subnets in different Availability Zones. The service automatically scales to handle the number of concurrent connections; you do not need to provision capacity. However, there is a soft limit of 1000 concurrent connections per server (can be increased by request).
Security Considerations
Encryption in transit: SFTP uses SSH, FTPS uses TLS. FTP is unencrypted and should only be used in isolated networks.
Encryption at rest: S3 server-side encryption (SSE-S3 or SSE-KMS) can be enforced via bucket policies.
Network isolation: Use VPC endpoints for internal traffic; restrict security groups to allow only required ports and source IPs.
Authentication: Use SSH keys for SFTP (more secure than passwords). For FTPS, client certificates can be used.
Audit logs: Enable CloudTrail and CloudWatch logs to detect unauthorized access.
Create Transfer Family Server
Define the server with endpoint type (public or VPC), identity provider (service-managed, directory, or custom), protocols (SFTP, FTP, FTPS), and security policy. For VPC endpoints, specify the VPC, subnets (at least two), and security groups. The service provisions an ENI in each subnet. This step sets up the 'loading dock'.
Configure Identity Provider
If using service-managed, you will create users with SSH keys or passwords. If using a custom provider, you deploy an HTTP API that Transfer Family calls with the user's credentials and returns a JSON response containing the user's home directory, IAM role, and public keys. This decouples authentication from the service.
Create Users and Assign Roles
Each user is mapped to an IAM role that allows access to a specific S3 bucket prefix or EFS path. The role must trust Transfer Family (sts:AssumeRole). The home directory is defined as a path (e.g., /bucket-name/user-prefix). The user's permissions in S3 are controlled by the role's policy.
Configure Logging and Monitoring
Enable CloudWatch logging by specifying an IAM role with permissions to create log streams and put log events. All file transfer events (login, upload, download, delete) are logged. You can also enable CloudTrail for management events. Set up CloudWatch alarms for metrics like BytesIn/Out or ActiveUsers.
Test File Transfer from Client
Using an SFTP client (e.g., OpenSSH sftp), connect to the server endpoint using the user's credentials. Verify that you can upload, download, list, and delete files in the home directory. Check CloudWatch logs to confirm the transfer was logged. Test with different protocols if enabled.
Enterprise Scenario 1: Migrating Legacy EDI to AWS
A large retailer exchanges purchase orders and invoices with thousands of suppliers using SFTP. Their on-premises SFTP server is reaching capacity and requires frequent patching. They migrate to AWS Transfer Family with a public endpoint. Each supplier gets a service-managed user with an SSH key. The home directory is a prefix in an S3 bucket (e.g., s3://retail-edi/supplier123/). An AWS Lambda function is triggered on S3 PUT events to process incoming EDI files and send acknowledgments. The retailer saves on hardware maintenance and gains scalability—the endpoint automatically handles peak loads during month-end. They enable CloudWatch logging for audit compliance. A common pitfall: forgetting to set a bucket policy that denies public access; they use S3 Block Public Access and rely on the IAM role for access.
Enterprise Scenario 2: Secure Internal File Sharing with FTPS
A financial services firm needs to transfer sensitive reports between departments. They use FTPS (FTP over TLS) for compliance, but their internal apps cannot use S3 APIs. They deploy a VPC endpoint for Transfer Family, accessible only within their corporate network via Direct Connect. They integrate with their existing Microsoft Active Directory for authentication (using AWS Directory Service). Each department's files land in a separate S3 bucket prefix, with IAM roles restricting cross-department access. They set a maximum file size of 100 MB to prevent abuse. The security group allows inbound FTPS on port 990 only from internal IP ranges. They monitor CloudWatch logs for failed login attempts. A common mistake: using FTP instead of FTPS over the internet—data is sent in clear text; they ensure FTPS is enforced.
Scenario 3: Hybrid Cloud with EFS Backend
A media company uses Transfer Family with Amazon EFS as the storage backend to support file locking and POSIX permissions required by their legacy rendering applications. They have an on-premises NFS server that they want to retire. They create a VPC endpoint and mount the same EFS file system on both Transfer Family and their EC2 rendering farm. Artists upload raw footage via SFTP from remote locations, and rendering jobs access the same files via EFS. They use a custom identity provider to authenticate users against their existing LDAP. The challenge is EFS performance—they need to provision sufficient throughput (e.g., 100 MB/s per TB) to avoid bottlenecks. They also set up lifecycle management to move older files to EFS Infrequent Access.
What the SAA-C03 Exam Tests
Transfer Family appears in questions related to Objective 3.5: Hybrid Storage and Objective 3.1: Migration. The exam focuses on:
When to use Transfer Family vs. Storage Gateway (File Gateway) or Direct Connect with on-premises SFTP.
Understanding the three identity provider options and their use cases.
Knowing the endpoint types (public, VPC) and when each is appropriate.
Recognizing that Transfer Family is for file transfers using standard protocols, not for block storage or low-latency access.
Pricing model (pay per endpoint-hour + data transfer).
Common Wrong Answers and Why Candidates Choose Them
"Use AWS Storage Gateway File Gateway instead" – Candidates confuse Transfer Family (protocol translation for SFTP/FTP) with File Gateway (NFS/SMB). The correct choice depends on the client protocol: if the client speaks SFTP, use Transfer Family; if NFS/SMB, use File Gateway.
"Transfer Family can be used for real-time streaming" – No, it is designed for file transfers, not streaming. Candidates see 'transfer' and assume low-latency.
"You must use a custom identity provider for more than 500 users" – This is true only for service-managed. You can also use AWS Directory Service (AD) for large numbers without custom code.
"FTP is secure because it uses TLS" – FTP without TLS is insecure; FTPS adds TLS. The exam may test that FTP is unencrypted and should only be used in isolated networks.
Specific Numbers and Terms That Appear Verbatim
500 users – limit for service-managed identity provider per server.
10 servers – default limit per account.
120 seconds – idle timeout.
Port 22 (SFTP), 21 (FTP), 990 (implicit FTPS).
Endpoint types: Public, VPC, VPC with internal DNS.
Logging to CloudWatch Logs.
Edge Cases and Exceptions
If you need to transfer files to/from on-premises and your clients cannot use S3 SDK, Transfer Family is ideal.
If you need to preserve file metadata (e.g., timestamps, permissions) for S3, you must use S3 Object Lambda or custom logic; Transfer Family does not preserve all metadata.
For FTPS, implicit FTPS uses port 990; explicit FTPS uses port 21 with AUTH TLS.
You cannot use Transfer Family with S3 Glacier or Glacier Deep Archive directly (objects must be in S3 Standard or IA).
How to Eliminate Wrong Answers
If the question mentions 'SFTP' or 'FTP' and 'S3', it's likely Transfer Family.
If the question mentions 'NFS' or 'SMB', it's Storage Gateway.
If the question mentions 'low-latency' or 'real-time', eliminate Transfer Family.
If the question mentions 'transferring files from on-premises to S3 using existing scripts that use FTP', the answer is Transfer Family.
AWS Transfer Family enables SFTP, FTP, and FTPS file transfers directly into Amazon S3 or EFS without needing a gateway appliance.
Three identity provider options: service-managed (up to 500 users), AWS Directory Service, and custom (HTTP API).
Transfer Family endpoints can be public (internet-facing) or VPC (private) for network isolation.
Each user is assigned an IAM role that grants permissions to a specific S3 prefix or EFS path.
Logging is done via Amazon CloudWatch Logs; management events via CloudTrail.
FTP is unencrypted; use SFTP or FTPS for security. FTPS can be implicit (port 990) or explicit (port 21 with AUTH TLS).
Pricing is per endpoint-hour plus data transfer out; no charge for users or servers.
Transfer Family is not for real-time streaming or low-latency access; it is for file transfers.
These come up on the exam all the time. Here's how to tell them apart.
AWS Transfer Family
Supports SFTP, FTP, FTPS protocols
Translates file transfers to S3/EFS API calls
Priced per endpoint-hour + data transfer
Best for external partners using standard file transfer protocols
No on-premises cache required; files go directly to S3
AWS Storage Gateway File Gateway
Supports NFS and SMB protocols
Caches frequently accessed data on-premises for low-latency access
Priced per gateway + storage usage (cache + S3)
Best for on-premises applications needing file share access to S3
Requires on-premises virtual machine or hardware appliance
Service-Managed Identity Provider
Up to 500 users per server
Simple setup: create users with SSH keys or passwords
No additional infrastructure needed
Limited to static user definitions
Good for small teams or proof-of-concept
Custom Identity Provider
No user limit (scalable)
Requires building and hosting an HTTP API
Supports integration with any identity store (LDAP, Okta, etc.)
Allows dynamic user mapping (e.g., home directory per user)
Best for large enterprises with existing identity systems
Mistake
AWS Transfer Family supports only SFTP.
Correct
It also supports FTP and FTPS. You can enable any combination of these protocols on a single server.
Mistake
Transfer Family stores files in its own storage, not S3.
Correct
Transfer Family is a translation layer; files are stored directly in Amazon S3 or EFS. The service does not maintain its own storage.
Mistake
You must use a custom identity provider for more than 500 users.
Correct
You can also use AWS Directory Service (Microsoft AD) which does not have the 500-user limit. The 500-user limit applies only to service-managed identity provider.
Mistake
FTP is secure because it uses SSH.
Correct
FTP (File Transfer Protocol) is unencrypted. SFTP (SSH File Transfer Protocol) uses SSH for encryption. FTPS uses TLS. Do not confuse FTP with SFTP.
Mistake
Transfer Family endpoints are single-AZ and not highly available.
Correct
VPC endpoints require at least two subnets in different AZs for high availability. Public endpoints are also highly available by default.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Transfer Family works with S3 Standard, Standard-IA, One Zone-IA, and Intelligent-Tiering. It does not support Glacier or Glacier Deep Archive. If you need to archive files, you can set up an S3 Lifecycle policy to transition objects after they are uploaded.
SFTP (SSH File Transfer Protocol) runs over SSH (port 22) and provides encryption, authentication, and data integrity. FTPS (FTP over SSL/TLS) uses FTP with an added TLS layer (port 990 for implicit, or port 21 for explicit). SFTP is often simpler for firewall traversal (single port), while FTPS may be required for legacy compatibility.
When creating the user, set the `HomeDirectory` to a prefix like `/my-bucket/user-folder`. Then, in the IAM role policy, restrict access to that prefix using an S3 ARN with the prefix condition. The user will only see and access files under that prefix.
Yes, deploy a VPC endpoint and connect your on-premises network via AWS Direct Connect or VPN. The endpoint will have a private IP within your VPC, and traffic stays within AWS and your private network.
The endpoint remains provisioned and incurs hourly charges even if idle. For cost savings, you can delete the server when not in use. There is no auto-stop feature for endpoints; you must manually stop or delete them.
Yes, Transfer Family supports Amazon EFS as a storage backend. This is useful when you need file-level access with POSIX permissions or file locking. The user's home directory must be an EFS file system path.
Enable CloudWatch logging during server creation. All file transfer events (login, upload, download, delete) are logged to a CloudWatch log group. You can also enable CloudTrail for management API calls like creating users or modifying servers.
You've just covered AWS Transfer Family (SFTP/FTP/FTPS) — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?