How to create an SFTP-enabled Server on AWS

AWS Transfer Family supports Secure File Transfer Protocol (SFTP), File Transfer Protocol over SSL (FTPS), and File Transfer Protocol (FTP) to transfer files to and from AWS S3 or AWS EFS(Elastic File System). It supports DNS routing with Amazon Route 53. AWS Transfer Family removes the overhead to purchase and run your own FTP servers, instead, it manages file infrastructure for you. It supports auto-scaling capacity and maintains high availability.

AWS Transfer Family is a fully managed service by AWS that scales in real-time, and you don't need to create 

Let's understand 3 different protocols supported by AWS Transfer Family.

  1. SFTP Protocol: Secure Shell File Transfer Protocol is a network protocol used for the secure transfer of data over the internet. The protocol supports the full security and authentication functionality of SSH
  2. FTP Protocol: File Transfer Protocol (FTP) is a network protocol used for the transfer of data. FTP uses a separate channel for control and data transfers.
  3. FTPS Protocol: File Transfer Protocol over SSL is an extension to FTP. It uses Transport Layer Security and Secure Sockets Layer cryptographic protocols to encrypt traffic.

You can create a publicly accessible server or can create a server in the VPC.

You can also control access to the server using AWS Identity and Access Management (IAM) policies, these policies can be assigned to an IAM Role which then is attached to the user.

There are no upfront costs and you need to pay only for what you use and protocols you have enabled for access to your endpoint. To know about its pricing, visit the AWS official page here

In this article, we will see the steps to create an SFTP-enabled server on AWS which will be accessible publicly. Before proceeding with this article, it is assumed that you are familiar with IAM Roles, EC2 instances and S3 Buckets. 


  1. AWS Account (Create if you don’t have one).
  2. Ubuntu EC2 Instance (Click here to learn to create an Ubuntu EC2 instance on AWS).
  3. IAM Role with Full access to S3 (Click here to learn to create an IAM Role).
  4. S3 Bucket (Click here to learn to create an S3 bucket on AWS).

What will we do?

  1. Login to AWS
  2. Create an SFTP Server
  3. Modify the Trust Relationships of the IAM Policy
  4. Create a folder in the S3 Bucket.
  5. Generate a Key-Pair in the EC2 instance.
  6. Create a user in the SFTP Server
  7. Test the connection to the SFTP Server
  8. Delete the SFTP Server

Login to AWS

Click here to go to the login page where you can enter your credentials to get into the account.

Login Page

Once you successfully login into your account you will see the main AWS management console as follows and you can choose your desired region to create an SFTP Server.

AWS Management Console

Create an SFTP Server

Search for "Transfer Family" in the search box at the top of the screen.

Search Transfer Family

You will see the main dashboard of the AWS Transfer Family as follows. Click on the "Create server" button to create your first SFTP server.

AWS Transfer Family Dashboard

Here, choose the protocol that you want to enable for the server. You can enable multiple protocols, but here we will proceed with a single SFTP protocol. Click on the "Next" button to proceed.

Choose a Protocol

Choose the endpoint type based on your requirement. If you want your endpoint to be accessible publicly proceed with it. Click on the "Next" button.

Endpoint configuration

Choose the AWS storage service where you want your data to be stored. Here we will proceed with Amazon S3. Click on the "Next" button to proceed.

Choose a domain

Proceed with the default options here.

Logging role

Review the configuration and click on the "Create Server" button. This will create an SFTP server for you, the creation process will take a few minutes to finish.

Review and create a server

Modify the Trust Relationships of the IAM Policy

The next step is to modify the IAM policy which has full access to the S3 buckets. Go to the "IAM role -- > Trust relationships" and edit it.

IAM Role for SFTP

Change the Service to "", the policy document should look as follows.

Edit Trust Relationship

Create a folder in the S3 Bucket.

See you if you have an S3 bucket where you would like to store data from the SFTP server.

Create a folder in the S3 Bucket

Generate a Key-Pair in the EC2 instance.

The next step is to create a key-pair that will be used to authenticate to the SFTP server. Go to your Linux server and execute the following command to generate a key-pair


cat ~/.ssh/

Fetch the public key which will be needed in the next step.

Generate a key-pair

Create a user in the SFTP Server

Let's go to the SFTP so we created.

SFTP Server

Click on the "Add user" button to create a user that will be used to authenticate and transfer files to S3 using the SFTP server we created.

Here, the endpoint you see will be used to access the SFTP server for data transfer. Keep this endpoint with you which will be needed while accessing the SFTP server.

Add a username, choose the IAM role, select the S3 bucket and a folder inside it which will act as a home directory for the user we are creating. Add the public key we copied from the previous step in the "SSH public key" part.

Scroll down the page and click on the "Add" button. This will create a user which will need a private key associated with the public we added while creating the user.

Add the user

Test the connection to the SFTP ServerTest the connection to the SFTP Server

Go to the Linux server where you created the key pair and use the following command to connect to the SFTP server.

Here, you need to change the endpoint with what you have for your SFTP server.

sftp -i ~/.ssh/id_rsa rahul-sftp-[email protected]

You can try uploading files using the following command where the file used in the following command belongs to the local system.

put /home/ubuntu/test-file

The above command will copy "/home/ubuntu/test-file" file from the local system to the SFTP server.

Upload a file

You can verify from the console if the file has been uploaded or not in the S3 bucket using the above "put" command.

Check the S3 Bucket

Delete the SFTP Server

When you no longer need your SFTP server you can easily delete it. To delete the server, click on "Actions --> Delete".

Delete the SFTP Server

Confirm your deletion action and click on the "Delete" button. Once you delete the SFTP server you cannot restore it, so be careful while performing the deletion operation.

Confirm deletion


In this article, we saw the steps to create an SFTP server with S3 as a backend. We created a user and assigned it a particular S3 bucket --> folder as a Home directory. We saw the necessary changes required for the IAM role to be used for the user.

Share this page:

1 Comment(s)