AWS Transfer Family — Cloud-based file transfer made easy
With Increasing adoption of the AWS cloud storage for document sharing, asset storage, file transfer between the partners, and many more. One of the challenges of using the S3 bucket is that not very flexible like the traditional SFTP or FTPs protocols, which are standard integration patterns for a lot of the products and platforms. S3 used to support only the APIs and Programmatic interfaces to access the files in the cloud storage.
AWS resolved this limitation by introducing the AWS Transfer family solution, which was initially called as S3 SFTP Gateway. It is an SFTP or FTP gateway for the S3 buckets and with security managed by the AWS standard services such as IAM and Security policies. The standard features of the AWS transfer family products are,
Multiple Instances, Protocols & Authentication
AWS Transfer Family supports multiple SFTP/FTP server instances to be set up and configured individually. It provides logical isolation for managing multiple instances of the File servers. Also, it supports the 3 widely used protocols — SFTP, FTPS, and FTP.
By default, the authentication & access control is managed by the AWS IAM module which is highly recommended. Alternately a custom identity provider can also be used, but it requires the AWS Gateway to set up for the same.
Deployment Model & Hostnames
The service can be made available for public access or open to the internet and also deployed within a virtual private cloud. So that resources within the VPC alone can access the SFTP services. A custom name can be set up and configured either through Route53 or any external DNS. It is only optional, the AWS provides a default hostname — <instanceId>.server.transfer.<region>.amazonaws.com
Security & Logging
Like any other AWS services, the AWS Transfer Family product also has native integration to the Cloud Watch and all the events can be completely monitored. Need to configure the IAM Role to get the required access to the CloudWatch.
Security Policies provide control on the type of ciphers supported by the SFTP gateway server. AWS provides the pre-defined transfer security policies and recommends to use the latest as always.
If you are migrating from the existing SFTP server, it also provides the option to configure the RSA private key.
SFTP / FTPS / FTP Administration (Ongoing)
Once the AWS Transfer family Server Instance is setup and configured, the user accounts and S3 buckets need to be configured as an ongoing activity. As the AWS Transfer family uses the S3 bucket for the actual storage of the files, it is highly dependent on the IAM role and policy to limit the number of buckets that are accessible to the users.
Key Based Authentication (No IAM Accounts required)
The Server allows you to create custom user accounts, which is good because it has no dependency on the IAM accounts. Each user or partner need to generate the AES key pair and share only the public key with the SFTP server. But the access to the S3 is completely governed by the IAM role & policy, which is the standard in accessing AWS resources.
S3 Configuration & Directory Restriction
The actual access to the S3 bucket is managed by the IAM policy that provides the required access to the S3 buckets. In addition to that, the users can be restricted to only one bucket or folder through the restriction option enabled. This is on top of the IAM policy.
