AWS Transfer Family

 

• AWS Transfer Family is a secure transfer service for moving files into and out of AWS storage services, such as Amazon S3 and Amazon EFS.
• With Transfer Family, you do not need to run or maintain any server infrastructure of your own.
• You can provision a Transfer Family server with multiple protocols (SFTP, FTPS, FTP).

Benefits

Fully managed service and scales in real time.

1. You don’t need to modify your applications or run any file transfer protocol infrastructure.
2. Supports up to 3 Availability Zones and is backed by an auto scaling, redundant fleet for your connection and transfer requests.
3. Integration with S3 and EFS lets you capitalize on their features and functionalities as well.
4. Managed File Transfer Workflows (MFTW) is a fully managed, serverless File Transfer Workflow service to set up, run, automate, and monitor processing of files uploaded using Transfer Family.

• Server endpoint types:
  1. Publicly accessible
     • Can be changed to a VPC hosted endpoint. Server must be stopped before making the change.
  2. VPC hosted
     • Can be optionally set as Internet Facing. Take note that only SFTP and FTPS are supported for the VPC hosted endpoint.

• Custom Hostnames
  1. Your server host name is the hostname that your users enter in their clients when they connect to your server. You can use a custom domain for this. To redirect traffic from your registered custom domain to your server endpoint, you can use Amazon Route 53 or any DNS provider.

How to delegate access

1. You first associate your hostname with the server endpoint, then add your users and provision them with the right level of access. A server hostname must be unique in the AWS Region where it’s created.
2. Your users’ transfer requests are then serviced directly out of your Transfer Family server endpoint.
3. If you have multiple protocols enabled for the same server endpoint and want to provide access using the same user name over multiple protocols, you can do so as long as the credentials specific to the protocol have been set up in your identity provider.

Managing Users

• Supported identity provider types:
  • Service managed using SSH keys
  • AWS Managed Microsoft AD (does not support Simple AD)
  • A custom method via a RESTful interface. The custom identity provider method uses Amazon API Gateway and enables you to integrate your directory service to authenticate and authorize your users. The service automatically assigns an identifier that uniquely identifies your server.
• For service managed identities, each user name must be unique on your server.
• You also specify a user’s home directory, or landing directory, and assign an AWS IAM role to the user. 
  • Optionally, you can provide a session policy to limit user access only to the home directory of your Amazon S3 bucket.
  • The home directory is your S3 bucket or EFS filesystem. If no path is specified, your users are redirected to the root folder.
• Amazon S3 vs Amazon EFS access management

Amazon S3	Amazon EFS
Supports session policies	Supports POSIX user, group, and secondary group IDs
Both support public/private keys, home directories and logical directories

• Logical directories lets you construct a virtual directory structure that uses user-friendly names so that you can avoid disclosing absolute directory paths, Amazon S3 bucket names, and EFS file system names to your end users.

Pricing

• You are billed on an hourly basis for each of the protocols enabled, from the time you create and configure your server endpoint, until the time you delete it. 
• You are also billed based on the amount of data uploaded and downloaded over SFTP, FTPS, or FTP.
• There is no additional charge for using managed workflows.

AWS Transfer for SFTP	AWS Transfer for FTPS	AWS Transfer for FTP
SFTP or Secure Shell File Transfer Protocol is a file transfer over SSH. SFTP servers for Transfer Family operate over port 22. SFTP is a newer protocol and uses a single channel for commands and data, requiring fewer port openings than FTPS.	FTPS or File Transfer Protocol Secure is a file transfer with TLS encryption. The port range that AWS Transfer Family uses to establish FTPS data connections is 8192–8200. For access connections, use port 21. When creating an FTPS server, you need to provide a server certificate which needs to be uploaded to AWS Certificate Manager.	FTP or File Transfer Protocol is an unencrypted file transfer. The port range that AWS Transfer Family uses to establish FTP data connections is 8192–8200. For access connections, use port 21. Only supported for access within a VPC; cannot be public facing.