Amazon Transfer Family
Fully managed SFTP, FTPS, FTP, and AS2 file transfer directly into S3 and EFS
Thousands of businesses exchange files using SFTP, a decades-old but deeply entrenched protocol used by banks, hospitals, insurers, and retailers to securely send files to partners. The problem is running your own SFTP server: you have to maintain the OS, patch it, manage SSH keys for every partner, scale it during peak loads, and make sure it never goes down. Transfer Family is a managed SFTP (and FTPS, FTP, AS2) endpoint that AWS runs for you. Your trading partners connect using their existing SFTP clients with their existing credentials. Nothing changes for them. Files land directly into your S3 buckets or EFS file systems. No servers to patch, no scaling to think about. For partners in regulated industries using AS2, a protocol used in healthcare and retail supply chains for signed and encrypted EDI messages, Transfer Family handles that too.
Transfer Family provisions managed endpoints per protocol. Each server can be VPC-hosted (private) or internet-facing (public with Elastic IP). Authentication supports three modes: Service Managed (SSH public keys stored in Transfer Family), AWS Directory Service (existing Active Directory), or a custom Lambda-backed identity provider for connecting to any external auth system. Uploaded files land in S3 or EFS based on the logical directory mapping configured per user, allowing isolation of each partner to their own S3 prefix. S3 event notifications on file upload trigger Lambda or EventBridge for automated downstream processing. CloudWatch metrics track connection counts, bytes transferred, and failed authentications.
Key Capabilities
- Managed endpoints for SFTP (port 22), FTPS (port 990), FTP (port 21), AS2, and browser-based transfers
- Files land directly in S3 or EFS with configurable per-user logical directory mappings
- Authentication via SSH keys (service managed), AWS Directory Service (Active Directory), or a custom Lambda-backed identity provider
- VPC-hosted or public endpoints; VPC endpoints keep all traffic off the public internet
- S3 event notifications on file arrival trigger Lambda functions for immediate downstream processing
- AS2 support for signed and encrypted EDI file exchange in healthcare, retail, and supply chain
Gotchas & Constraints
Gotcha #1: Transfer Family servers are not multi-AZ by default. For high availability, deploy servers in multiple AZs with an Elastic IP per AZ and Route 53 health-check failover. Gotcha #2: FTP (not FTPS) transmits credentials in plain text. Only use FTP inside a private VPC endpoint, never on a public-facing server. Constraints: Maximum file size is 5TB (S3 limit). SFTP throughput per server scales with concurrent sessions; request limit increases via AWS Support for high-volume workloads.
A national health insurance company exchanges patient data files with 45 hospitals and clinics daily using SFTP. Their on-premises SFTP server ran on a single VM, required manual SSH key management for each partner, and suffered two unplanned outages in the past year during OS patching, causing missed SLA deadlines with hospital partners. They migrate to Transfer Family with a VPC-hosted SFTP endpoint assigned a static Elastic IP. All 45 partners continue using the same hostname, same port, and same credentials with no changes on their side. Each partner's uploads are mapped to a dedicated S3 prefix. An S3 event notification triggers a Lambda function the moment a file arrives, starting the downstream claims processing pipeline. They enable CloudWatch alarms on failed authentication attempts to detect compromised credentials.
The Result
zero partner-visible changes during migration, availability improved from two nines to four nines, 3-person SFTP server maintenance burden eliminated, and inbound files now trigger automated processing within 2 seconds of arrival.