storageSAA-C03SAP-C02DEA-C01SCS-C02CLF-C02

AWS Transfer Family: The Managed File Transfer Gateway

Fully managed SFTP, FTPS, FTP, and AS2 endpoints backed by S3 or EFS — no server management required.

Updated 2026-02-22

Overview

AWS Transfer Family provides fully managed file transfer endpoints supporting SFTP, FTPS, FTP, and AS2 protocols, enabling businesses to move files directly into and out of Amazon S3 or Amazon EFS without managing any underlying infrastructure. It preserves existing client workflows and credentials while eliminating the operational burden of running and patching file transfer servers. Transfer Family is the go-to AWS service whenever partners, customers, or internal teams need standards-based protocol access to AWS storage.

Replace self-managed SFTP/FTP/AS2 servers with a fully managed, highly available, VPC-integrated file transfer service that lands files directly in Amazon S3 or Amazon EFS.

Use When

Migrating on-premises SFTP or FTP servers to AWS while keeping existing client tools and workflows unchanged.
Enabling B2B EDI file exchange with trading partners using the AS2 protocol over HTTPS.
Providing external partners or customers with secure, protocol-based access to files stored in S3 or EFS without exposing AWS credentials.
Building automated file-ingestion pipelines where partner file drops trigger downstream processing via Lambda or EventBridge.
Regulatory or compliance scenarios (PCI-DSS, HIPAA) requiring encrypted-in-transit file transfer with audit trails via CloudTrail.

Avoid When

Large-scale data migration between AWS services or on-premises to AWS storage: use AWS DataSync instead, which is optimized for high-throughput, scheduled, or one-time bulk transfers with built-in integrity checks.
Accelerating S3 uploads from geographically distributed users over the public internet: use Amazon S3 Transfer Acceleration (CloudFront edge network), not Transfer Family, which is a protocol endpoint service, not a CDN accelerator.
Real-time streaming or event-driven data ingestion at high velocity: use Amazon Kinesis Data Streams or Amazon MSK; Transfer Family is designed for file-based batch delivery, not streaming.
Internal application-to-application data movement where AWS SDKs or native S3/EFS APIs are available: direct API access is simpler, cheaper, and faster than routing through a protocol endpoint.

Key Features

SFTP (SSH File Transfer Protocol)

Port 22; most common protocol for secure file transfer; supported on both public and VPC endpoints.

FTPS (FTP over SSL/TLS)

Requires a custom hostname and ACM or imported certificate; supported on public and VPC endpoints.

FTP (plain, unencrypted)

VPC endpoint ONLY — never exposed to the public internet by design.

AS2 (Applicability Statement 2)

B2B EDI protocol over HTTPS; supports signing and encryption of message payloads; used for trading partner EDI workflows.

Amazon S3 backend storage

Files land directly in S3 buckets; S3 versioning, lifecycle, and replication apply.

Amazon EFS backend storage

POSIX-compliant file system access; useful for workloads needing shared file semantics.

VPC endpoint (private)

Keeps traffic off the public internet; supports Security Groups and Elastic IPs.

Public endpoint

AWS-managed DNS; no Security Group control; SFTP and FTPS only.

Service-managed identity provider

SSH public keys or passwords stored within Transfer Family itself.

AWS Directory Service (AD) identity provider

Integrates with AWS Managed Microsoft AD for SFTP user authentication.

Custom Lambda/API Gateway identity provider

Enables integration with any external IdP (LDAP, Okta, etc.) via a Lambda function.

AWS IAM Identity Center integration

Enables SSO-based authentication for Transfer Family users.

Managed Workflows

Post-upload processing pipeline: copy, tag, delete, custom Lambda steps — no external orchestration needed.

Logical directory mappings

Virtual directory tree presented to users, mapped to S3 prefixes or EFS paths.

CloudWatch Logs integration

Audit trail of all file transfer events; requires IAM role with CloudWatch permissions.

CloudTrail integration

API-level audit logging for all Transfer Family management actions.

Amazon EventBridge integration

Emit events on file upload completion to trigger downstream workflows.

AWS Lambda integration

Used in Managed Workflows and custom IdP; enables serverless post-processing.

Elastic IP assignment (VPC endpoint)

Allows static, predictable IP addresses for partner firewall whitelisting — critical for B2B scenarios.

Multi-AZ high availability

Transfer Family is a managed service with built-in redundancy across AZs.

Encryption in transit

SFTP uses SSH encryption; FTPS uses TLS; AS2 supports payload-level encryption and signing.

Encryption at rest

S3 and EFS server-side encryption applies to all stored files.

Custom hostname (Route 53 or third-party DNS)

Required for FTPS; optional for SFTP; allows branded endpoints like sftp.company.com.

ACM certificate support

Use AWS Certificate Manager certificates for FTPS and AS2 TLS.

EBS backend storage

EBS is NOT a supported backend — a common exam distractor.

FSx backend storage

Amazon FSx is NOT a supported backend for Transfer Family.

Integration Patterns

Managed SFTP-to-S3 Landing Zone

high freq

AWS Transfer FamilyAmazon S3

Partners upload files via SFTP directly into an S3 bucket. Transfer Family handles authentication, encryption in transit, and protocol negotiation. S3 stores the files with server-side encryption, versioning, and lifecycle policies. This is the most common Transfer Family architecture and appears frequently in exam scenarios.

Active Directory-Authenticated SFTP

high freq

AWS Transfer FamilyAWS Directory Service

Enterprise customers with existing Active Directory infrastructure authenticate SFTP users against AWS Managed Microsoft AD. Users log in with their corporate credentials — no separate user management in Transfer Family required. Critical pattern for enterprise migration scenarios.

SFTP Access to Shared POSIX File System

medium freq

AWS Transfer FamilyAmazon EFS

When workloads require POSIX semantics (file locking, hierarchical directories, shared access from EC2 instances simultaneously), Transfer Family with EFS backend provides SFTP access to a shared file system. Useful for lift-and-shift of legacy file-server workflows.

Post-Upload Serverless Processing via Managed Workflows

medium freq

AWS Transfer FamilyAWS Lambda

After a file is uploaded via SFTP, a Managed Workflow step invokes a Lambda function to validate, transform, or route the file. This eliminates the need for S3 event notifications + separate Lambda wiring and keeps the processing logic inside Transfer Family's workflow engine.

Event-Driven File Processing Pipeline

medium freq

AWS Transfer FamilyAmazon EventBridge

Transfer Family emits events to EventBridge when file transfers complete. EventBridge rules route these events to downstream targets (Lambda, Step Functions, SQS) to trigger processing pipelines. This decouples the transfer layer from the processing layer.

Custom Identity Provider Integration

medium freq

AWS Transfer FamilyAPI GatewayAWS Lambda

For external IdPs (Okta, LDAP, custom databases), Transfer Family calls an API Gateway endpoint backed by a Lambda function to authenticate users. The Lambda validates credentials against the external system and returns IAM role and home directory mappings. Enables any authentication system to be integrated.

Inbound Partner Files + Outbound Bulk Sync

medium freq

AWS Transfer FamilyAmazon S3AWS DataSync

Transfer Family receives inbound partner files into S3 via SFTP/AS2. AWS DataSync then bulk-syncs processed output files to on-premises systems or other AWS storage. These two services are complementary — Transfer Family for protocol-based inbound delivery, DataSync for high-throughput bulk movement.

Compliance Audit Trail for File Transfers

medium freq

AWS Transfer FamilyAWS CloudTrailAmazon CloudWatch

CloudTrail logs all Transfer Family API calls (server creation, user management). CloudWatch Logs captures per-transfer activity (who uploaded what, when). Together they provide the audit trail required for PCI-DSS, HIPAA, and SOC 2 compliance scenarios.

Branded FTPS/SFTP Endpoint with Custom Domain

low freq

AWS Transfer FamilyAmazon Route 53AWS Certificate Manager

Use Route 53 to create a CNAME (e.g., sftp.company.com) pointing to the Transfer Family server hostname. ACM provides the TLS certificate for FTPS. This gives partners a stable, branded endpoint that abstracts away AWS infrastructure details.

Service Limits & Quotas

LimitValueNote

Servers per account per Region

50 servers

This is a soft limit and can be increased by submitting a Service Quotas increase request.

Users per server

10,000 users

This is a soft limit; contact AWS Support for increases beyond 10,000.

Protocols supported

SFTP, FTPS, FTP, AS2 protocols

AS2 support was added in 2022; older study materials may list only SFTP/FTPS/FTP.

Supported storage backends

Amazon S3, Amazon EFS backends

EFS support was added after initial launch; early documentation only mentioned S3.

AS2 — Maximum message size

Refer to current AWS documentation for the latest AS2 message size limits

AS2 limits are documented separately from SFTP/FTPS limits in the Transfer Family service quotas page.

Endpoint types

Public (internet-facing) or VPC (internal or internet-facing via Elastic IP) endpoint types

FTP (plain, unencrypted) is ONLY supported on VPC endpoint type — never on public endpoints. This is a common exam trap.

Identity providers supported

Service-managed (built-in), AWS Directory Service (AD), custom identity provider via API Gateway + Lambda, AWS IAM Identity Center IdP options

IAM Identity Center (SSO) integration was added later; older exams may only reference the three original IdP types.

Logical directory mappings per user

Refer to current AWS documentation for the latest per-user mapping limits mappings

Logical directories are a Transfer Family-specific concept; do not confuse with S3 bucket folder structures.

Workflows (managed workflows) per server

Refer to current AWS documentation for the latest workflow limits workflows

Managed Workflows were introduced in 2021; pre-2021 study materials will not mention them.

CloudWatch logging

Supported natively via CloudWatch Logs

Logging must be explicitly enabled; it is not on by default for all server configurations.

Pricing Model

Pay-per-use: charged per protocol endpoint-hour plus per-GB data uploaded and downloaded.

You are charged for each enabled protocol endpoint per hour, regardless of whether any transfers occur — idle servers still incur endpoint-hour charges. This makes right-sizing the number of active servers important.
Data transfer charges apply per GB uploaded and per GB downloaded through Transfer Family endpoints — separate from any S3 or EFS storage and request costs.
AS2 has its own pricing dimension based on message processing, in addition to endpoint-hour and data transfer charges.
Managed Workflows incur additional charges per workflow execution step — factor this into cost estimates for high-volume automated pipelines.
There are no upfront costs or minimum commitments; Transfer Family is entirely on-demand.
Cost comparison trap: running a self-managed EC2-based SFTP server may appear cheaper at face value but ignores patching, HA setup, monitoring, and operational overhead — Transfer Family's TCO is often lower at scale.
VPC endpoint type does not cost more than the public endpoint type from a Transfer Family pricing perspective, but VPC interface endpoints (PrivateLink) for other services accessed from within the VPC may have their own costs.

Exam Tips

criticalService selection for managed file transfer protocols

AWS Transfer Family is the ONLY AWS service that provides managed SFTP, FTPS, FTP, and AS2 protocol endpoints. When an exam question mentions 'managed SFTP endpoint,' 'partner file delivery via SFTP,' or 'B2B EDI via AS2,' Transfer Family is the answer — not DataSync, not Storage Gateway, not S3 Transfer Acceleration.

criticalProtocol and endpoint type compatibility

FTP (plain, unencrypted) is ONLY supported on VPC-type endpoints in Transfer Family — it is never available on public (internet-facing) endpoints. If an exam scenario requires FTP and mentions public internet access, that is an invalid combination with Transfer Family.

criticalStorage backend options

Transfer Family backends are ONLY Amazon S3 and Amazon EFS. EBS, FSx, and on-premises storage are NOT supported backends. If an exam question lists EBS or FSx as a Transfer Family backend option, eliminate those immediately.

critical

AWS Transfer Family = managed SFTP/FTPS/FTP/AS2 endpoints backed by S3 or EFS. It is the ONLY AWS service that provides these protocol endpoints. DataSync, Storage Gateway, and S3 Transfer Acceleration do NOT provide SFTP or AS2 endpoints.

critical

FTP (plain, unencrypted) is ONLY supported on VPC-type endpoints — NEVER on public internet-facing endpoints. Any exam scenario combining plain FTP with public internet access is an invalid configuration for Transfer Family.

critical

Transfer Family backends are EXCLUSIVELY Amazon S3 and Amazon EFS. Immediately eliminate any answer choice that suggests EBS, FSx, or on-premises storage as a Transfer Family backend.

importantTransfer Family vs. DataSync differentiation

Transfer Family and AWS DataSync are complementary, not competing. Transfer Family = inbound protocol-based file delivery from external partners. DataSync = high-throughput bulk data movement between storage systems. A well-architected solution may use both together.

importantAS2 protocol for B2B EDI

For B2B EDI scenarios, AS2 over HTTPS (not SFTP) is the industry-standard protocol. Transfer Family's AS2 support includes payload signing and encryption at the message level — distinct from transport-level TLS. Exam questions about EDI trading partner integration should point to AS2 on Transfer Family.

importantIdentity provider integration

When a question asks how to integrate existing corporate Active Directory credentials with SFTP access, the answer is AWS Directory Service (AWS Managed Microsoft AD) as the identity provider for Transfer Family — not creating IAM users for each SFTP user.

importantStatic IP for firewall whitelisting

Elastic IP addresses can be assigned to VPC-type Transfer Family endpoints. This is the correct answer when a question mentions 'partners need to whitelist a static IP address in their firewall' — VPC endpoint + Elastic IP, not a public endpoint.

importantManaged Workflows for post-upload processing

Managed Workflows in Transfer Family allow post-upload processing (copy, tag, delete, Lambda invocation) without needing S3 event notifications + separate Lambda triggers. When an exam asks for the simplest way to process files immediately after SFTP upload, Managed Workflows is often the cleanest answer.

Good to KnowCost optimization for Transfer Family

Transfer Family pricing charges per endpoint-hour — an idle server still costs money. In cost optimization questions, consolidating multiple low-traffic SFTP servers into one server with logical directory mappings per user reduces endpoint-hour costs.

Good to KnowMulti-tenant architecture with logical directories

Logical directory mappings let a single Transfer Family server present different virtual home directories to different users, each mapping to different S3 prefixes or EFS paths. This enables multi-tenant SFTP architectures without separate servers per tenant.

Common Misconceptions & Traps

Common Mistake

AWS DataSync can act as an inbound SFTP or AS2 listener, receiving files from external partners.

Correct

AWS DataSync has NO protocol endpoint capability. It is an agent-based or agentless bulk data movement service that initiates transfers — it cannot listen for inbound SFTP connections. AWS Transfer Family is the service that provides managed SFTP/FTPS/FTP/AS2 listener endpoints.

This is the #1 Transfer Family misconception on exams. DataSync and Transfer Family are often listed as answer choices together. Remember: DataSync PUSHES/PULLS bulk data; Transfer Family LISTENS for protocol-based connections. They solve fundamentally different problems.

Common Mistake

Amazon S3 Transfer Acceleration is the same as AWS Transfer Family for managed SFTP file transfers.

Correct

S3 Transfer Acceleration uses CloudFront edge locations to speed up S3 PUT/GET operations over the public internet using the S3 API — it has nothing to do with SFTP, FTPS, FTP, or AS2 protocols. AWS Transfer Family is a completely separate service that provides managed protocol endpoints. They share the word 'transfer' but solve entirely different problems.

The naming similarity is an intentional exam trap. S3 Transfer Acceleration = faster S3 API uploads via edge network. Transfer Family = managed SFTP/FTPS/FTP/AS2 server. Never confuse these two.

Common Mistake

AWS Storage Gateway provides SFTP endpoints for partner file delivery.

Correct

AWS Storage Gateway provides NFS, SMB, iSCSI, and Tape (VTL) interfaces — it does NOT provide SFTP, FTPS, FTP, or AS2 endpoints. Storage Gateway is for on-premises applications that need cloud-backed storage using file, volume, or tape protocols. For SFTP endpoints, use AWS Transfer Family.

Storage Gateway and Transfer Family are both 'hybrid storage' adjacent services, causing confusion. Storage Gateway = on-premises apps accessing AWS storage via NFS/SMB/iSCSI. Transfer Family = external partners/clients accessing AWS storage via SFTP/FTPS/FTP/AS2.

Common Mistake

Running a self-managed SFTP server on EC2 is always cheaper than using AWS Transfer Family.

Correct

While EC2 instance costs may appear lower on a per-hour basis, the total cost of ownership for a self-managed SFTP server includes: EC2 instance costs, EBS storage, patching and maintenance labor, high-availability setup (multi-AZ), monitoring, security hardening, and incident response. Transfer Family eliminates all of these operational costs. At moderate-to-high scale, Transfer Family's TCO is typically lower.

Exam questions about cost optimization often include EC2-based SFTP as a distractor. The correct answer for a managed, scalable, HA SFTP solution is Transfer Family — not EC2 + open-source SFTP software.

Common Mistake

Amazon S3 alone can replace AWS Transfer Family for partner file delivery because S3 supports uploads.

Correct

Amazon S3 uses its own HTTP/HTTPS REST API (or pre-signed URLs) — it does NOT natively speak SFTP, FTPS, FTP, or AS2. Partners using standard file transfer clients (WinSCP, FileZilla, Cyberduck, EDI systems) cannot connect directly to S3 without AWS Transfer Family acting as the protocol translation layer.

S3 is the storage backend, not the protocol endpoint. Transfer Family is the bridge between legacy file transfer protocols and S3/EFS storage. Both are needed in the architecture.

Common Mistake

AWS Transfer Family requires you to manage underlying EC2 instances or servers.

Correct

Transfer Family is a fully managed service — AWS manages all underlying compute, networking, patching, scaling, and high availability. You only configure server settings, users, and policies. There are no EC2 instances to manage, patch, or scale.

The word 'server' in 'Transfer Family server' refers to the logical SFTP/FTP server configuration, not an EC2 instance. This distinction matters for operational overhead and responsibility model questions.

Memory Tricks

🧠

SFTA = 'S3 File Transfer Access' — Transfer Family puts a PROTOCOL DOOR (SFTP/FTPS/FTP/AS2) in front of your S3/EFS HOUSE. DataSync is the moving truck that bulk-moves boxes. S3 Transfer Acceleration is a faster highway for the S3 API car. Three different things.

🧠

FTP = 'Forbidden To Public' — plain FTP is only allowed inside a VPC, never on the public internet in Transfer Family.

🧠

AS2 = 'Always Secure 2 (business partners)' — AS2 is the B2B EDI protocol with message-level signing and encryption, used for trading partner document exchange (purchase orders, invoices).

🧠

Transfer Family backends: 'S3 or EFS — nothing else, no stress' — only these two storage backends are supported.

CertAI Tutor · SAA-C03, SAP-C02, DEA-C01, SCS-C02, CLF-C02 · 2026-02-22

Ready to test your knowledge?

Practice SAA-C03, SAP-C02, DEA-C01, SCS-C02, CLF-C02 exam questions with AI-powered explanations — free to start.

AWS Transfer Family: The Managed File Transfer Gateway

Overview

Key Features

Integration Patterns

Service Limits & Quotas

Pricing Model

Exam Tips

Common Misconceptions & Traps

Memory Tricks

Ready to test your knowledge?

Related Cheat Sheets