Skip to content

SFTP Server

Note: This documentation is also available in a rendered format here.

Deploys an AWS Transfer Family SFTP server within a VPC with configurable network interfaces, security group ingress controls, and optional internet-facing access. Use this module when you need to provide external partners or legacy systems with a secure SFTP endpoint for uploading data into your AWS environment.

Deployed Resources

This module deploys and integrates the following resources:

  • SFTP Service Role: IAM role assumed by the Transfer Family service for running the server and creating logs within the account
  • SFTP Server Security Group: Controls network connectivity to the SFTP server. Bound to VPC network interfaces.
  • SFTP Transfer Server: Transfer Family SFTP server bound to the specified VPC and subnets, with optional public-facing Elastic IPs

SFTPServer

  • SFTP Users — Deploy SFTP user credentials and S3 home directory mappings for the server deployed here
  • Data Lake — SFTP users can upload data directly into data lake S3 buckets
  • DataSync — Alternative data transfer method for automated, scheduled data movement

Security/Compliance Details

This module is designed in alignment with MDAA security/compliance principles and CDK nag rulesets. Additional review is recommended prior to production deployment, ensuring organization-specific compliance requirements are met.

  • Encryption in Transit:
    • All SFTP data transfer encrypted via SSH/SFTP protocol
  • Least Privilege:
    • Dedicated IAM service role with scoped permissions for Transfer Family operations and CloudWatch logging
  • Network Isolation:
    • Server is VPC-bound with security group controlling all inbound access
    • All ingress denied by default
    • Only explicitly configured CIDR ranges are allowed on port 22

AWS Service Endpoints

The following VPC endpoints may be required if public AWS service endpoint connectivity is unavailable (e.g., private subnets without NAT gateway, firewalled environments, or PrivateLink-only architectures):

AWS Service Endpoint Service Name Type
Transfer Family com.amazonaws.{region}.transfer.server Interface
CloudWatch Logs com.amazonaws.{region}.logs Interface
S3 com.amazonaws.{region}.s3 Gateway
STS com.amazonaws.{region}.sts Interface

Configuration

MDAA Config

Add the following snippet to your mdaa.yaml under the modules: section of a domain/env in order to use this module:

sftp-server: # Module Name can be customized
  module_path: '@aws-mdaa/sftp-server' # Must match module NPM package name
  module_configs:
    - ./sftp-server.yaml # Filename/path can be customized

Module Config Samples and Variants

Copy the contents of the relevant sample config below into the ./sftp-server.yaml file referenced in the MDAA config snippet above.

Minimal Configuration

Contains only the required properties for deploying an AWS Transfer Family SFTP server with VPC networking and CIDR-based access control. Start here for a basic private SFTP server in your VPC.

sample-config-minimal.yaml

# Contents available via above link
# SFTP Server Module — Minimal Sample Configuration
# Contains only the required properties for deploying an AWS
# Transfer Family SFTP server with VPC networking and CIDR-based
# access control.

server:
  # CIDR blocks permitted to connect to the SFTP server on port 22.
  ingressCidrs:
    - 10.0.0.0/8
  # VPC ID where the SFTP server will be deployed.
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/vpc/id
  vpcId: some-vpc-id
  # Subnet IDs for the SFTP server network interfaces.
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/subnet/id
  subnetIds:
    - some-subnet-id1

Comprehensive Configuration

Deploys an AWS Transfer Family SFTP server with VPC networking, ingress CIDR restrictions, optional public IP allocation, and a custom security policy. Start here when evaluating all available options for public-facing access, security policies, and multi-subnet deployment.

sample-config-comprehensive.yaml

# Contents available via above link
# SFTP Server Module — Comprehensive Sample Configuration
# Deploys an AWS Transfer Family SFTP server with VPC networking,
# ingress CIDR restrictions, optional public IP allocation, and
# a custom security policy.
# This config exercises EVERY available property at full depth.

server:
  # CIDR blocks permitted to connect to the SFTP server on port 22.
  # All other ingress is denied by default.
  ingressCidrs:
    - 10.0.0.0/8
    - 192.168.0.0/16
    - 172.16.0.0/12
  # VPC ID where the SFTP server will be deployed. The security
  # group and server endpoints are created within this VPC.
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/vpc/id
  vpcId: some-vpc-id
  # Subnet IDs where the SFTP server will have network interfaces.
  # Use multiple subnets across AZs for high availability.
  # Often created by your VPC/networking stack.
  # Example SSM: ssm:/path/to/subnet/id
  subnetIds:
    - some-subnet-id1
    - some-subnet-id2
  # (Optional) Whether to allocate a public Elastic IP for
  # internet-facing access. When false, the server is only
  # accessible within the VPC. (default: false)
  internetFacing: false
  # (Optional) Transfer Family security policy name controlling
  # cryptographic algorithms for SFTP connections. Defaults to
  # 'TransferSecurityPolicy-FIPS-2020-06'. Use a non-FIPS policy
  # in regions that do not support FIPS.
  securityPolicyName: TransferSecurityPolicy-2024-01

Config Schema Docs