File Transfer Workflows

AWS Transfer Family

~ Last updated on : ~ jayendrapatil

AWS Transfer Family

  • AWS Transfer Family is a fully managed file transfer service that enables secure transfer of files into and out of AWS storage services.
  • AWS Transfer Family supports transferring data from or to Amazon S3 and Amazon EFS.
  • AWS Transfer Family supports transferring data over the following protocols:
    • Secure File Transfer Protocol (SFTP) – version 3
    • File Transfer Protocol Secure (FTPS)
    • File Transfer Protocol (FTP)
    • Applicability Statement 2 (AS2) – for B2B EDI document exchange
    • Browser-based transfers – via Transfer Family web apps
  • Transfer Family provides the following benefits:
    • A fully managed service that scales in real-time with elastic compute infrastructure and built-in autoscaling.
    • Compatible with existing applications with no need to modify them or run any file transfer protocol infrastructure.
    • A fully managed, serverless File Transfer Workflow service that makes it easy to set up, run, automate, and monitor the processing of files.
    • Supports connectors for outbound file transfers to remote SFTP and AS2 servers.
  • Transfer Family supports up to 3 AZs and is backed by an auto-scaling, redundant fleet for connection and transfer requests.
  • Transfer Family supports multiple identity provider options:
    • Service Managed – user identities stored within the service (supported for SFTP-only server endpoints).
    • Microsoft Active Directory – integration with AWS Directory Service.
    • LDAP – Lightweight Directory Access Protocol integration.
    • Custom Identity Providers – modular solution to integrate any identity provider with granular per-user controls, separating authentication logic from session configuration.
  • Transfer Family supports Amazon S3 Access Points for granular access to shared datasets.
  • For FTP and FTPS data connections, the port range used for the data channel is 8192–8200.

Endpoint Types

  • Transfer Family supports the following endpoint types:
    • Public – publicly accessible endpoint that listens for traffic over port 22 (SFTP only).
    • VPC – endpoint hosted within a VPC for greater control over access.
      • Can be configured as Internet Facing with Elastic IP addresses attached.
      • Can be configured as Internal for private access only within the VPC.
      • Supports Security Groups for source IP filtering.
      • Supports shared VPC environments.
      • Required for FTPS and FTP protocols.
  • FIPS-enabled endpoints are available for compliance requirements.

AS2 Protocol Support

  • Applicability Statement 2 (AS2) is a business-to-business (B2B) messaging protocol used to exchange Electronic Data Interchange (EDI) documents.
  • Transfer Family AS2 capabilities enable secure exchange of AS2 messages at scale while maintaining compliance and interoperability with trading partners.
  • AS2 provides data protection through encryption and peer authentication via digital certificates.
  • Key AS2 components:
    • Agreements – Bilateral trading partner agreements that define the relationship between two parties exchanging messages. Combines server, local profile, partner profile, and certificate information.
    • Profiles – Local and partner profiles that identify the sender and receiver.
    • Certificates – Used for encryption and signing of AS2 messages.
    • Connectors – Required for sending files to an externally hosted AS2 server.
  • AS2 messages are sent and received over HTTPS.
  • Integrates with AWS B2B Data Interchange for EDI document transformation and generation.

SFTP Connectors

  • SFTP connectors provide fully managed functionality to transfer files between remote SFTP servers and Amazon S3.
  • SFTP connectors can send files from Amazon S3 to an external partner-owned SFTP server and retrieve files from a partner’s SFTP server.
  • SFTP connectors authenticate to remote servers using credentials stored in AWS Secrets Manager.
  • SFTP connectors support two egress types:
    • Service Managed – uses AWS managed infrastructure for routing.
    • VPC (VPC_LATTICE) – routes traffic through your VPC using Amazon VPC Lattice, enabling connections to:
      • Private SFTP servers accessible only within a VPC.
      • Servers in shared VPCs.
      • On-premises systems connected over AWS Direct Connect.
      • Partner-hosted servers connected through VPN tunnels.
  • SFTP connectors support PGP encryption for encrypting/decrypting files before sending to remote partners.
  • SFTP connectors can list files stored on remote SFTP servers, enabling file retrieval workflows when file names are not known in advance.

Transfer Family Web Apps

  • Transfer Family web apps provide a no-code, fully managed browser-based experience for secure file transfers to and from Amazon S3.
  • Web apps enable authenticated users to perform file operations including listing, uploading, downloading, and deleting files through a web browser.
  • Web apps are integrated with AWS IAM Identity Center and Amazon S3 Access Grants, enabling fine-grained access controls that map corporate identities directly to S3 datasets.
  • Web apps are customizable to reflect company branding.
  • Supports HIPAA eligibility, PCI, and other compliance certifications.
  • One web app unit can provide up to 250 unique sessions per 5-minute period. Multiple units can be provisioned based on peak workload volumes.
  • Deployable with a few clicks in the Transfer Family console, generating a shareable URL.

Managed Workflows (MFTW)

  • Managed File Transfer Workflows (MFTW) is a fully managed, serverless workflow service that automates processing of uploaded files.
  • MFTW can automate processing steps such as:
    • Copying and tagging
    • Scanning and filtering
    • Compressing/decompressing
    • Encrypting/decrypting
    • Custom processing via Lambda functions
  • MFTW provides end-to-end visibility for tracking and auditability.
  • Workflows are triggered automatically in response to file uploads.
  • Supports both nominal (success) and exception handling steps.

Security and Encryption

  • Transfer Family supports encryption at rest using:
    • AWS KMS (Key Management Service) managed keys
    • Amazon S3 server-side encryption (SSE-S3)
    • Customer Managed Keys with Amazon EFS
  • Encryption in transit via SSH (SFTP), TLS (FTPS, AS2), and HTTPS (web apps).
  • Supports TLS 1.2 for secure communication.
  • IAM policies control access to S3 buckets and EFS file systems.
  • CloudTrail provides granular auditing of user and API activity.
  • Security Groups and Network ACLs control network-level access for VPC endpoints.

Monitoring and Logging

  • Transfer Family supports two logging mechanisms for CloudWatch:
    • JSON Structured Logging (Recommended) – provides comprehensive, queryable log format with detailed activity types (AUTH_FAILURE, CONNECTED, DISCONNECTED, ERROR, OPEN, CLOSE, DELETE, MKDIR, RENAME, etc.).
    • Logging via a Logging Role – legacy logging mechanism.
  • CloudWatch metrics track server performance and transfer activity.
  • CloudWatch alarms can trigger notifications or automated actions based on thresholds.
  • CloudTrail logging is available for Transfer Family web apps.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A solutions architect must provide a fully managed replacement for an on-premises solution that allows employees and partners to exchange files. The solution must be easily accessible to employees connecting from on-premises systems, remote employees, and external partners. Which solution meets these requirements?
    1. Use AWS Transfer Family for SFTP to transfer files into and out of Amazon S3.
    2. Use AWS Snowball Edge for local storage and large-scale data transfers.
    3. Use Amazon FSx to store and transfer files to make them available remotely.
    4. Use AWS Storage Gateway to create a volume gateway to store and transfer files to Amazon S3.
  2. A company exchanges EDI documents with multiple trading partners. The company needs a fully managed B2B file transfer solution that supports AS2 protocol, provides non-repudiation through message disposition notifications (MDNs), and stores transferred files in Amazon S3. Which AWS service meets these requirements?
    1. AWS DataSync with S3 as the destination
    2. AWS Transfer Family with AS2 protocol configured
    3. Amazon MQ with file transfer broker
    4. AWS Storage Gateway File Gateway
  3. A company needs to provide non-technical business users with a simple web interface to upload and download files from Amazon S3 without requiring SFTP clients or AWS Console access. The solution must integrate with the company’s existing corporate directory for authentication. Which approach should a solutions architect recommend?
    1. Create a custom web application using S3 pre-signed URLs
    2. Use Amazon WorkDocs for file sharing
    3. Deploy AWS Transfer Family web apps integrated with AWS IAM Identity Center and S3 Access Grants
    4. Use Amazon AppStream 2.0 to stream an S3 browser application
  4. A company needs to automate file transfers between a partner’s SFTP server (accessible only via VPN) and Amazon S3. The partner’s server is not accessible from the public internet. Which solution meets these requirements with the LEAST operational overhead?
    1. Deploy an EC2 instance with an SFTP client in the VPC and schedule cron jobs
    2. Use AWS DataSync with a private VIF over Direct Connect
    3. Use AWS Transfer Family SFTP connectors with VPC-based (VPC_LATTICE) egress type
    4. Set up an AWS Lambda function with VPC access to connect to the SFTP server
  5. A company uses AWS Transfer Family for SFTP file transfers. The security team requires detailed, queryable audit logs of all file operations including authentication failures, file opens, deletes, and disconnections. Which logging approach should be configured?
    1. Enable CloudTrail data events for the Transfer Family server
    2. Configure S3 server access logging on the destination bucket
    3. Enable JSON structured logging for the Transfer Family server in CloudWatch
    4. Set up VPC Flow Logs on the server endpoint’s network interface

References