Questions tagged with AWS Transfer Family

I am selling my site and need to transfer the AWS account to the buyer's business (the buyers do not use AWS for their other sites - but they want my site to continue with AWS). I cannot figure out how to do it. Do I need to pay for support and what level? This is Amazon's advice on transfering ownership of a site: https://aws.amazon.com/premiumsupport/knowledge-center/transfer-aws-account/ "To assign ownership of an AWS account and its resources to another party or business, contact AWS Support for help: Sign in to the AWS Management Console as the root user. Open the AWS Support Center. Choose Create case. Enter the details of your case: Choose Account and billing support. For Type, choose Account. For Category, choose Ownership Transfer. For all other fields, enter the details for your case. For Preferred contact language, choose your preferred language. For Contact methods, choose your preferred contact method. Choose Submit. AWS Support will contact you with next steps and help you transfer your account ownership." I have done all this but have not yet been contacted (24 hours). The text seems to suggest that advice on transfering ownership is a necessary aspect of transfering an AWS root account to a company, and that such advice is provided free by Amazon, since nothing is said about pricing. If on the other hand AWS clients must pay for a support package to transfer ownership, which package? The $29 Developer package or the $100 Business package or some other package? How quickly does Amazon AWS respond? How quick is the transfer process? I am finding this very frustrating.

We have: - an AWS transfer family server with FTPS protocol - a custom hostname and a valid ACM certificate which is attached to the FTP server - a Lambda for the Identity provider The client is using: - EXPLICIT AUTH TLS - our custom hostname - port 21 The problem is: the client can connect, the authentication is successfully (see below for the auth test result), but during the communication with the FTP server a TLS_RESUME_FAILURE occurs. The error in the customer client is "522 Data connection must use cached TLS session", and the error in the CloudWatch LogGroup of the transfer server is just "TLS_RESUME_FAILURE" I have no clue why this is happen. Any ideas? Here is the auth test result ``` { "Response": "{\"HomeDirectoryDetails\":\"[{\\\"Entry\\\":\\\"/\\\",\\\"Target\\\":\\\"/xxx/new\\\"}]\",\"HomeDirectoryType\":\"LOGICAL\",\"Role\":\"arn:aws:iam::123456789:role/ftp-s3-access-role\",\"Policy\":\"{\"Version\": \"2012-10-17\", \"Statement\": [{\"Sid\": \"AllowListAccessToBucket\", \"Action\": [\"s3:ListBucket\"], \"Effect\": \"Allow\", \"Resource\": [\"arn:aws:s3:::xxx-prod\"]}, {\"Sid\": \"TransferDataBucketAccess\", \"Effect\": \"Allow\", \"Action\": [\"s3:PutObject\", \"s3:GetObject\", \"s3:GetObjectVersion\", \"s3:GetObjectACL\", \"s3:PutObjectACL\"], \"Resource\": [\"arn:aws:s3:::xxx-prod/xxx/new\", \"arn:aws:s3:::xxx-prod/xxx/new/*\"]}]}\",\"UserName\":\"test\",\"IdentityProviderType\":\"AWS_LAMBDA\"}", "StatusCode": 200, "Message": "" } ```

Since this monday we are experiencing a problem when we try to upload a large amount of files. (49 files to be exact). After around 20 files the upload fails. ``` s-262d99d7572942eca.server.transfer.eu-central-1.amazonaws.com /aws/transfer/s-262d99d7572942eca asdf.f7955cc50d0d1bc4 2022-05-09T23:02:59.165+02:00 asdf.f7955cc50d0d1bc4 CONNECTED SourceIP=77.0.176.252 User=asdf HomeDir=/beresa-test-komola/asdf Client=SSH-2.0-ssh2js0.4.10 Role=arn:aws:iam::747969442112:role/beresa-test UserPolicy="{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"AllowListingOfUserFolder\",\n \"Action\": [\n \"s3:ListBucket\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": [\n \"arn:aws:s3:::beresa-test-komola\"\n ],\n \"Condition\": {\n \"StringLike\": {\n \"s3:prefix\": [\n \"asdf/*\",\n \"asdf\"\n ]\n }\n }\n },\n {\n \"Sid\": \"HomeDirObjectAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:PutObject\",\n \"s3:GetObject\",\n \"s3:DeleteObject\",\n \"s3:GetObjectVersion\"\n ],\n \"Resource\": \"arn:aws:s3:::beresa-test-komola/asdf*\"\n }\n ]\n}" Kex=ecdh-sha2-nistp256 Ciphers=aes128-ctr,aes128-ctr 2022-05-09T23:02:59.583+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/10_x_a_10.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:03.394+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/10_x_a_10.jpg BytesIn=4226625 2022-05-09T23:03:04.005+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/11_x_a_1.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:07.215+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/11_x_a_1.jpg BytesIn=4226625 2022-05-09T23:03:07.757+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/12_x_a_37.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:10.902+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/12_x_a_37.jpg BytesIn=4226625 2022-05-09T23:03:11.433+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/13_x_a_13.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:14.579+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/13_x_a_13.jpg BytesIn=4226625 2022-05-09T23:03:14.942+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/14_x_a_43.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:18.016+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/14_x_a_43.jpg BytesIn=4226625 2022-05-09T23:03:18.403+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/15_x_a_34.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:21.463+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/15_x_a_34.jpg BytesIn=4226625 2022-05-09T23:03:21.906+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/16_x_a_44.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:25.025+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/16_x_a_44.jpg BytesIn=4199266 2022-05-09T23:03:25.431+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/17_x_a_2.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:28.497+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/17_x_a_2.jpg BytesIn=4199266 2022-05-09T23:03:28.857+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/18_x_a_5.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:31.947+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/18_x_a_5.jpg BytesIn=4199266 2022-05-09T23:03:32.374+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/19_x_a_8.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:35.504+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/19_x_a_8.jpg BytesIn=4199266 2022-05-09T23:03:35.986+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/1_x_a_16.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:39.104+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/1_x_a_16.jpg BytesIn=4226625 2022-05-09T23:03:39.691+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/20_x_a_11.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:42.816+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/20_x_a_11.jpg BytesIn=4199266 2022-05-09T23:03:43.224+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/21_x_a_14.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:46.274+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/21_x_a_14.jpg BytesIn=4199266 2022-05-09T23:03:46.649+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/22_x_a_17.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:49.757+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/22_x_a_17.jpg BytesIn=4199266 2022-05-09T23:03:50.141+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/23_x_a_20.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:53.307+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/23_x_a_20.jpg BytesIn=4199266 2022-05-09T23:03:53.849+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/24_x_a_23.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:03:56.933+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/24_x_a_23.jpg BytesIn=4199266 2022-05-09T23:03:57.358+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/25_x_a_26.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:00.585+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/25_x_a_26.jpg BytesIn=4199266 2022-05-09T23:04:00.942+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/26_x_a_29.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:04.174+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/26_x_a_29.jpg BytesIn=4199266 2022-05-09T23:04:04.603+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/27_x_a_32.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:07.771+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/27_x_a_32.jpg BytesIn=4199266 2022-05-09T23:04:08.179+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/28_x_a_35.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:11.279+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/28_x_a_35.jpg BytesIn=4199266 2022-05-09T23:04:11.716+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/29_x_a_38.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:14.853+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/29_x_a_38.jpg BytesIn=4199266 2022-05-09T23:04:15.316+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/2_x_a_7.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:18.435+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/2_x_a_7.jpg BytesIn=4226625 2022-05-09T23:04:18.906+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/30_x_a_41.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:22.140+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/30_x_a_41.jpg BytesIn=4199266 2022-05-09T23:04:22.565+02:00 asdf.f7955cc50d0d1bc4 OPEN Path=/beresa-test-komola/asdf/x/bla/31_x_a_18.jpg Mode=CREATE|TRUNCATE|WRITE 2022-05-09T23:04:25.752+02:00 asdf.f7955cc50d0d1bc4 CLOSE Path=/beresa-test-komola/asdf/x/bla/31_x_a_18.jpg BytesIn=4159129 2022-05-09T23:04:26.141+02:00 asdf.f7955cc50d0d1bc4 ERROR Message="Too many open files in this session, maximum 100" Operation=OPEN Path=/beresa-test-komola/asdf/x/bla/32_x_a_3.jpg Mode=CREATE|TRUNCATE|WRITE ``` As you can see in the logs we are closing each path after opening it - we are uploading one file after the other. What could cause this as we are not even trying to write 100 files during the scp session?

Hi, I'm curently facing a problem trying to create a private SFTP Server (deployed in a VPC) using AWS Transfer Family. So here are the steps I followed: - I started an EC2 in one of three subnets associated with the SFTP server (created in another step) - Those subnets are private - I connected to the EC2 instance using session manager - I created an ssh key named sftp_key to connect to the SFTP server - I Created an IAM role for the transfer service: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "<AccountId>" }, "ArnLike": { "aws:SourceArn": "arn:aws:transfer:eu-west-1:<AccountId>:server/*" } } } ] } ``` - Attached an inline policy to this role: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<BucketName>" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<BucketName>/*" } ] } ``` - Created a Role for logging management. This role has the following inline policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateLogsForTransfer", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*" } ] } ``` - Created an SFTP Server using the CLI like this: ``` aws transfer create-server --identity-provider-type SERVICE_MANAGED --protocols SFTP --domain S3 --endpoint-type VPC --endpoint-details SubnetIds=$SUBNET_IDS,VpcId=$VPC_ID,SecurityGroupIds=$SG_ID --logging-role $LOGGINGROLEARN --security-policy-name $SECURITY_POLICY ``` SUBNET_IDS: list of 3 privates subnets ids VPC_ID: the concerned VPC ID SG_ID: ID of a security group. This group allows all access on port 22 (TCP) from the same subnets (SUBNET_IDS) LOGGINGROLEARN: Arn of the logging role SECURITY_POLICY=TransferSecurityPolicy-2020-06 - Created a user with the CLI: ``` aws transfer create-user --home-directory $DIRECTORY --policy file://sftp-scope-down-policy.json --role $ROLEARN --server-id $SERVERID --user-name $1 --ssh-public-key-body "$SSHKEYBODY" ``` DIRECTORY=/<BucketName>/<userName> ROLEARN: Role created before SSHKEYBODY: public key of the ssh key created on the EC2 sftp-scope-down-policy.json content: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "${transfer:UserName}/*", "${transfer:UserName}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] } ``` - A VPC endpoint exists for the three subnets for the following services: - com.amazonaws.eu-west-1.ec2 - com.amazonaws.eu-west-1.ssm - com.amazonaws.eu-west-1.ssmmessages ***So here is the problem:*** I tried to connect to the SFTP server from the EC2 launched in the first step using this command: ``` sftp -vvv -i sftp_key <userName>@<ServerPrivateIp> ``` the ssh logs shows that the connection suceeded but after that the connection closed directly. ``` debug1: Authentication succeeded (publickey). Authenticated to <ServerPrivateIp> ([<ServerPrivateIp>]:22). ``` No logs are created on CloudWatch Logs and I can see nothing special on CloudTrail logs. Can someone explain me what I missed ?

Hello, I am migrating a SFTP Server from Public Endpoint to VPC Endpoint, and i would like to preserve the same HostKey in production so customers do not have to re-accept it. But i am struggling with the concepts: When looking into the existing SFTP Server at Console > Additional details > Server host key SHA256:Cv5TEDW8P3L+uqpAKtpzSWIfGcHwdrnaDyJd0wOGNx5= (example) I believe this is a PUBLIC host key, and the same that we accept as a client to the SFTP Server into the known hosts . When Editing > Server host key, it asks for a RSA PRIVATE key. (I tried to set the previous host key example) Where can i get this RSA private Key from our current running AWS SFTP server? (I tried to ssh but it does not allow) Would after creation of new AWS SFTP server be able to setup the host key with this command? aws transfer update-server --server-id "your-server-id" --host-key file://my-host-key my-host-key is the RSA Private Key? Thanks.

Hi all, I've setup an SFTP server with AWS Transfer Family with "sftp-server" S3 bucket as storage. I created "subfolder01", "subfolder02", "subfolder03", etc in the bucket. I defined an SFTP user and set "sftp-server" as his restricted home folder. And I want to give him read/write permissions to "subfolder01" and "subfolder02" only, while no access to all the other subfolders. But when the user connects, he sees an empty list of his home folder, and he can only access the two subfolders if he manually types the "subfolder01/" or "subfolder02/" path, in Filezilla. I would like him to see the list of all the subfolders when he connects, or better, to see only the two subfolders that he has access to. This is the policy assigned to the role of the user: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::sftp-server" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:PutObjectAcl", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::sftp-server/subfolder01/*", "arn:aws:s3:::sftp-server/subfolder02/*" ] } ] } and this is Trusted Entities of his role: { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } Can you please help me?

I am using the AWS Transfer service with S3 buckets for storage and a chrooted dynamic path to create the user directory as the user is authenticated - "/mybucket/${Transfer:UserName}". This is working as expected except that when the ${Transfer:UserName} variable is used to create the user directory it matches the case that the user name was entered on the client. Authentication is via the AWS Directory service. As this is a windows system there is no distinction between lowercase and uppercase usernames. E.g. if the client specifies the username in lowercase the user directory is created in lowercase. If the client specifies the username in uppercase then the user directory is created in uppercase. This can result in multiple user directories. Is there a way to force the case of the user directory to lowercase when it is created using the ${Transfer:UserName} variable?

Hi, I would expose the same SFTP (Transfer Family) endpoint (deployed in service mode, not into a VPC) under different domains to share the capabilities. It seems the component controls its proper declaration into an hosted zone (based on the given domain), meaning it could not be associated to several domains. If I want to share a SFTP server, I have to deploy it into a VPC, behind a NLB and target the NLB from the different zones. Am I right? Thanks in advance

AWS Transfer Family is pleased to announce the following enhancements to the managed workflows capability. 1. You can now configure your workflow steps to process either the originally uploaded file or the output file from the previous workflow step. You can also make multiple copies of a file and archive the original source file for records retention. 2. You can now utilize username as a variable in workflows copy steps, enabling you to dynamically route files to user-specific folders in Amazon S3. 3. You can now use AWS CloudFormation to configure and deploy managed workflows in a standardized and repeatable way across multiple regions and accounts. 4. Also, you now have access to AWS CloudWatch metrics such as total number of executions, successful executions and failed executions for your Workflows. To learn more, please visit our managed Workflows documentation [1] or the blog post [2] for additional details. [1] https://docs.aws.amazon.com/transfer/latest/userguide/transfer-workflows.html [2] https://aws.amazon.com/blogs/architecture/building-a-cloud-native-file-transfer-platform-using-aws-transfer-family-workflows/

AWS Transfer Family servers can now display customized messages, such as organizational policies or terms and conditions to your end users, helping you achieve your legal and compliance requirements. You can also present a customized Message of The Day (MOTD), such as a greeting message, to enhance user experience. To learn more about using login banners with AWS Transfer Family, please find details in our documentation - https://docs.aws.amazon.com/transfer/latest/userguide/create-server-sftp.html

I have an AWS Transfer server running using an AWS Hosted Active Directory for authentication. I have a two way transitive domain trust in place with an on-premise Active Directory domain. Is it possible to use security groups form the trusted domain to grant access? I have tried to add Group SID's from the trusted domain but this results the following error: Failed to add access (1 validation error detected: Value ' <SID> at 'externalId' failed to satisfy constraint: Member must satisfy regular expression pattern: ^S-1-[\d-]+$) Setting up Access with a SID from the AWS Directory Service is working as expected.

The Endpoint is too long for the field that gets filled in for the SFTP software on customer end . Given AWS Endpoint is 59 characters long and the field only supports 55 characters. Do you know if there is a way for us to get a shorter one?

Hello All, I have deleted my sftp server in transfer family that contain all my users. Worst i don't have any inventory for the users. How do i recover.

I have an AWS Transfer requirement where I need to provide key based authentication as you get from the Service Managed identity provider, and AWS Directory Service authentication. Is this possible from a single server?

What IAM policies can be used to replicate the two demos in [AWS Transfer Family Managed Workflows Demo | Amazon Web Services](https://www.youtube.com/watch?v=t-iNqCRospw)?

My team has an app running on both Android and iOS that needs to upload media files (video ad images) to an s3 bucket. The solution was implemented using S3 Transferutility and it was working fine, but we discovered this week that we are having some issues on Android. Now, when we try to upload a media file on Android OS the transfers state keeps waiting indefinitely. iOS is working fine. AWS SDK Core: 2.18.0 Does any one of you have any suggestion on what could it be?

I am working on a CF template to deploy a AWS Transfer server. I am using EndPointType=VPC and I need to be able to specify the IP's of the network interfaces for two subnets. From the https://docs.aws.amazon.com/transfer/latest/userguide/API_EndpointDetails.html I can see that I need to use the AddressAllocationIds statement. This only appears to be possible via the UpdateServer API. I guess I need to call the UpdateServer API after the AWS::Transfer::Server block in the template? Is there an example of this available anywhere?

Starting today, AWS Transfer Family is available in the Asia Pacific (Osaka) Region. AWS Transfer Family provides fully managed file transfers for Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (EFS). With this launch, AWS Transfer Family is now available in 21 commercial AWS regions, AWS GovCloud (US) Regions, Amazon China (Beijing) Region, operated by Sinnet, and the Amazon China (Ningxia) Region, operated by NWCD. AWS Transfer Family supports file transfers over Secure File Transfer Protocol (SFTP), File Transfer Protocol (FTP) and FTP over SSL (FTPS), simplifying and accelerating migration of file transfer workflows to AWS. For more information, visit the AWS Transfer Family product page and see the AWS Region Table for complete regional availability information.

When we try to send a file from Unix box to S3 bucket via AWS transfer family resolve hostname of Endpoint is not found correctly and there is error generate for SFTP logs "changing state from STATE_NOT CONNECTED to STATE_CLOSED" and connection timeout. For the last 6 months, File transfer was successful without any issues. Below are errors in cloudwatch logs of the AWS transfer family: ERRORS KEX_FAILURE MESSAGE= "no matching key exchange method found" Kex=diffie-hellman-group1-sha1

I created a SFTP server in AWS Transfer family connected to an S3 bucket with the service managing the users. Created 3 users and it was all working fine. I created a fourth user (with the same IAM role attached as the working users) and it did not work and received an SSH AUTH FAILURE when trying to connect. So I added the public key to the user again (assuming I had screwed up). The two keys both show the same fingerprint in the AWS transfer console so I didn't screw up. But still does not work. However, when I checked the fingerprint of the key locally using 'ssh-keygen -l -f <keyname>' I get a totally different fingerprint to the one shown against the keys for that user. So I removed the key from one of the working users and added the exact same public key back in. That user no longer works but the public key has not changed. What am I doing wrong here?

Hi, Is SFTP gateway supports SSE-C (server-side encryption with customer key)? Thanks, Srikar.

I'm coding a python script to backup my computer to my S3 bucket. However, I just saw restrictions on how many steps. etc. in a workflow for the transfer family as follows: How do I backup my data using python to my S3 bucket on my account? I'd also like to learn how to code in python to access AWS services so that's the main reason I'd like to do this. I've created some code already to create a transfer server, start it, stop it and delete it. Limitations Additionally, the following functional limits apply to workflows for Transfer Family: The number of workflows per account is limited to 10. The maximum timeout for custom steps is 30 minutes. The maximum number of steps in a workflow is 8.

Hi all: We are using the AWS Transfer Family service as our SFTP service. Currently, we are generating a ssh key pairs for our vendors and add the public keys to the vendor account while creating the vendor accounts. We are transferring the private keys to the vendors and with this they are able to log onto the account. Let me know if this is the right approach or not. One of the vendor says that transferring private key is not safe and asking us for the public key. If I provide him the public key and have the public key attached to the account within AWS Transfer family, he is getting authentication error. Should we send them the public key or private key? Is it safe to send them the private key? Also, if he has key pair generated, is it okay if I have his public key attached to the account? Can someone who is an expert in this area clear my confusion. Appreciate any help in this. Regards! Venkata

As the subject asks. I've successfully used ed25519 keys over in EC2, but however I try to enter an ed25519 ssh key to a user at "SFTP, FTPS, & FTP Servers > server-id > username > Add key", I keep getting the error message "Enter a valid SSH public key". Just wondering if I'm doing something wrong or its not supported. (yet?)

Hi, We have an FTP(s) and SFTP set up on AWS Transfer Family, in our own VPC with Cognito as the custom identity provider (APIGW + lambda). We have configured it to accept usernames and passwords and are successfully using it in production. We want to enable SSH key for the SFTP where clients access and send data with the private key. We have the client's public key but are unclear on how the connection and data transfer flow is for our scenario. Right now, we are totally in the dark on how to do this. How do we allow clients access via a private key without a username/password configured using our custom identity provider for AWS Transfer Family? When the client tries to connect to the server, I'm guessing it will go through the custom identity provider (APIGW+Lambda), but we're unsure how to allow the client to proceed to AWS Transfer Family, and where we should be storing and sending the Public Key? Any help or pointing us in the right direction would help. Thank you!

I am getting access denied for user when WINSCP tries to list the directory structure, "Error listing directory '/.'" I have the following policy for user { "Version": "2012-10-17", "Statement": \[ { "Sid": "AllowListingOfUserFolder", "Action": \[ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": \[ "arn:aws:s3:::BUCKET234" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": \[ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::BUCKET234/*" } ] } This is the trust relationship { "Version": "2012-10-17", "Statement": \[ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } There is no scope down policy, what am i missing ?

I'm following the cloud formation template provided the below URL to create AWS SFTP service with custom Identity Provider as APi Gateway and Secret Manager to store the user credentials. The API gateway to integrate between SFTP Transfer server and lambda function that processes the gateway request and queries the Secret Manager. Is the password authentication with custom Identity Provider as API Gateway and EFS specifically supported in AWS? If so, can someone hint me as to how to configure the store in Secret Manager to configure the UID, GID, Secondary GID? I'm specifically looking for help on this. Most of the documentation talks only about Transfer family with S3 as backend storage including the examples on scope down policy etc.. Any help on this requirement is highly appreciated. https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/

Good day I've implemented the custom IDP using the template (aws-transfer-custom-idp-secrets-manager-apig.template.yml) provided. I've created a user in secrets manager and attached the role containing the below policy in which I explicitly specify the users username as directory, indicated as "user1" for demonstration purposes. I am then able to successfully authenticate via SSH or Username/Password methods. I then created a new role/policy for a new user and specify the new user directory as "user2" in the policy. The problem is with the new user it authenticates fine however upon login it generates an "access denied" error and does not seem to place the user in the logical directory specified in secrets manager. This error persists with each new user I've attempted to create using the same details as the initial user1.Please assist, I've attached the user format as inserted to Secrets Manager as well as the policy below for your perusal. Thanks Secrets Manager User PLAINTEXT stored as "SFTP/user2" : { "Password": "password", "Role": "arn:aws:iam::111111111111:role/rolename", "PublicKey": "ssh-rsa AAAA", "HomeDirectoryType": "LOGICAL", "HomeDirectoryDetails": "\[{\"Entry\": \"/\", \"Target\": \"/bucketname/user2\"}]" } POLICY : { "Version": "2012-10-17", "Statement": \[ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": \[ "s3:ListBucket" ], "Resource": "arn:aws:s3:::bucketname" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": \[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": \[ "arn:aws:s3:::bucketname/user2/in/*", "arn:aws:s3:::bucketname/user2/out/*" ] }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": \[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::bucketname/user2/" } ] } Note, this policy works for our use case in that it allows a user to GET/PUT to the in/out folders however denies them from PUT at their logical root. The s3 structure is as follows: bucketname/user2/folders and again it works with the first user created as user1. Thanks

If using a custom identity provider, can the lambda return a value in the user authentication response that indicates the user should be operating in 'restricted' mode? The built-in provider has a checkbox, but the custom identity provider documentation doesn't mention any return values that communicate that the user was stored as 'restricted' and therefore should only be allowed to access the home folder. I have yet to be able to create a working scope-down policy that performs the 'restricted' mode. All the examples continue to fail with 'Access Denied'. Setting the policy to allow read/write to the S3 directly works, but obviously gives the user access to navigate throughout the S3 bucket. Allowing the custom identity provider to specify 'Restricted' would eliminate the scope-down policy complexity.

Hi all, I have enabled the s3 versioning on the bucket connected with AWS Transfer Family since I wanted to use the replication feature for certain folder in the sftp bucket. Unfortunately, since I've enabled it now I cannot download any file from the bucket using an sftp connection. The upload works fine but the download fails with access denied. I have a custom identity provider which return the policy below when the user authenticates: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "user-folder/*", "user-folder" ] } } }, { "Sid": "AWSTransferRequirements", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject*", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion", "s3:GetObjectAcl", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ] } ``` Edited by: sa-dem on Dec 8, 2020 2:05 PM

I read that there is a data transfer cost between two AZs in different accounts. I wonder if there is a data transfer cost between two AZs in the same VPC same account. let's say one EC2 in AZ A is sending data to EC2 in AZ B. What is the charge like?

Hello, I am looking for guidance on setting up scope down policy for FTPS users on the transfer family service. Within the lambda function that does the user authentication, i am attempting to add the policy JSON to the response body as described in the documentation. ..... response = { Role: 'arn:aws:iam::xxxxxxx:role/assumedRoleForTransferService', Policy: myPolicyJSON, HomeDirectory: '' }; ....... The scope down policy looks similar to what SFTP scope down users would use except I am not using the transfer variables (eg. ${transfer:HomeDirectory}) as I suspect they don't work because with FTPS there are no "managed" users to map the variables to. Instead my lambda will dynamically replace variables in the policy dependent on logic within the lambda. Adding the scope down policy to the lambda response creates an error when connecting to the server. Removing the scope down policy from the lambda allows me to connect and upload but then I am not restricted within the bucket. My user scope down policy JSON looks like this prior to replacing the dyanmic variables with the appropriate user paths. { "Version": "2012-10-17", "Statement": \[ { "Sid": "AllowListingOfUserFolder", "Action": \[ "s3:ListBucket" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mybucket" , "Condition": { "StringLike": { "s3:prefix": \[ "DYNAMIC_USER_VARIABLE/*", "DYNAMIC_USER_VARIABLE" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": \[ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": "arn:aws:s3:::mybucket/DYNAMIC_USER_VARIABLE/*" } ] } Is scope down policies a part of the FTPS service? If so is there any glaring issue in my policy JSON above? thanks in advance!

I've customized my identity provider using the template and instructions available here: https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html I'm able to get a correct response from my API and successfully log while testing in AWS Transfer and with FileZilla. However, it's not actually allowing a user to view existing files or upload new files. Here is the response from the identity provider API: ``` { "Policy": "<policy granting full access to bucket>", "Role": "<role with full access to S3>", "HomeDirectory": "/<my bucket>/test" } ``` I'm assuming this is acceptable based off the information on these pages: https://aws.amazon.com/blogs/storage/simplify-your-aws-sftp-structure-with-chroot-and-logical-directories/ https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-user.html However, FileZilla gives me the following log: ``` Status: Connecting to sftp.mydomain.com... Status: Using username "test". Status: Connected to 123456.server.transfer.us-east-1.amazonaws.com Status: Retrieving directory listing... Status: Listing directory /<my bucket>/test Error: Unknown eventType 37 Error: Failed to retrieve directory listing ``` So I tried using logical directories instead using the information in the previous links. This is an example response from the API: ``` { "Policy": "<policy granting full access to bucket>", "Role": "<role with full access to S3>", "HomeDirectoryType": "LOGICAL", "HomeDirectoryDetails": [ { "Entry": "/", "Target": "/<my bucket>/test" } ] } ``` I updated my UserConfigResponseModel in the API Gateway to this: ``` { "$schema":"http://json-schema.org/draft-04/schema#", "title":"UserUserConfig", "type":"object", "properties": { "Role":{"type":"string"}, "Policy":{"type":"string"}, "HomeDirectory":{"type":"string"}, "HomeDirectoryType":{"type":"string"}, "HomeDirectoryDetails": { "type":"array", "items": { "type":"object", "properties": { "Entry":{"type":"string"}, "Target":{"type":"string"} } } }, "PublicKeys": { "type":"array", "items":{"type":"string"} } } } ``` When I test this in AWS Transfer, I get the following response: ``` Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_ARRAY). Response Code: 200, Response Text: OK ``` All of this is very frustrating because the responses I am getting do not match what I would expect to see after reading the documentation. My question is this: how do I specify a bucket when using a custom identity provider in AWS Transfer. Edited by: paul_hatcher on May 19, 2020 9:26 AM

We are migrating an existing on-prem SFTP server to AWS Transfer for SFTP, however the old server was setup to only accept connections on port 2222. We are hoping to make a seamless transfer to AWS behind the scenes without having users need to update anything (we use user/pass auth), but from what I can see, only port 22 is possible... Is it possible to use a custom port or listen on multiple ports (e.g. 2222 for legacy users, 22 for go-forward users)? Thanks, T.

While in SERVICE_MANAGED mode (i.e. NOT using a custom IDP), how to specify HomeDirectoryType and HomeDirectoryMappings in CloudFormation template when creating a user? Is an equivalent of the "Restricted" checkbox exist for templates?

If I define 2 logical directories, such as "/in", "/out" and the S3 location that is mapped to "/in" contains no files, then the virtual folder is not displayed. Only the "/out" folder is displayed, I assume because it has files in it. It is not permissions related, because if I remove the files from the S3 location mapped to "/out" then that folder also disappears in the SFTP client. How can we get virtual paths that map to empty S3 locations to appear? The use case is, the user uploads to "/in" and a lambda function moves the file from there to a hidden location for processing. Results are then deposited in the "/out" folder. If things are working properly, there will never be a collection of files in the "/in" folder, but I'd still like the SFTP user to be able to see that folder and drop files in there. How can we do this?

I have a problem using the Custom Identity Provider, I am trying to setup the SFTP Transfer service using this page: https://docs.aws.amazon.com/transfer/latest/userguide/authenticating-users.html I used this template <https://s3.amazonaws.com/aws-transfer-resources/custom-idp-templates/aws-transfer-custom-idp-basic-apig.template.yml> to create my CF stack and when I test authentication using the SFTP Transfer console I get the following: { "Response": "{\"Role\": \"arn:aws:iam::0000000000:role/s3-sftp-transfer\",\"HomeDirectory\": \"/\"}", "StatusCode": 200, "Message": "", "Url": "https://xxxxxxxxx.xxxxxxxx.amazonaws.com/prod/servers/s-xxxxxxxxxxxxxxxx/users/myuser/config" } According to the documentation, what I am getting in the "Response" field, should be in the "Message" field, and when I test with the AWS CLI test-identity-provider, I get the URL and statusCode, but again the "Message" field is blank. Does anyone have any idea what I am doing wrong, or what I could check? I manually tested the Lambda and the API Gateway and they both seem to work. I am not sure where to look next. Thank you!

I have created a SFTP server, gave it a logging role and created a user. As a result can neither log into the server with my private key neither see any log messages. Following are the exact steps: 1. Created the **xxxxxxxxxx-dev-import** S3 bucket and created a **test-user** folder in it. 2. Created a **DevImportSFTPReadWriteAccess** RW access policy to access the target bucket. 3. Created a **DevImportSFTPRole** role and attached the aforementioned **ImportSFTPReadWriteAccess** policy to it. 4. Created a role called **AWSTransferLoggingRole** and attached the AWS-managed **AWSTransferLoggingAccess** policy to it. Checked the trust relationship - transfer.amazonaws.com is trusted. 5. Created a public SFTP server with service managed identity provider and assigned the aforementioned **AWSTransferLoggingRole** as the logging role. Waited until the server started. **NOTE** After server was started the logs were not visible in CloudWatch. 6. After the server was started created a **test-user** user with the public key, assigned the **xxxxxxxxxx-dev-import** as the bucket and **test-user** as home folder. Following is the result I'm ending up with: ``` mymacbook:.ssh UXXXXXX$ telnet s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com 22 Trying XXX.XXX.XXX.XXX... Connected to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com. Escape character is '^]'. SSH-2.0-AWS_SFTP_1.0 ^C Connection closed by foreign host. mymacbook:.ssh UXXXXXX$ ssh -i ~/.ssh/id_rsa_test_user test-user@s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com The authenticity of host 's-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com (XXX.XXX.XXX.XXX)' can't be established. RSA key fingerprint is SHA256:u0HCsILNN4vTm367Wgyeh2ToHLbuZayQzbzt9GbF+v8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 's-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com,XXX.XXX.XXX.XXX' (RSA) to the list of known hosts. Enter passphrase for key '/Users/UXXXXXX/.ssh/id_rsa_test_user': Connection to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com closed by remote host. Connection to s-xxxxxxxxxxxxxxxx.server.transfer.eu-central-1.amazonaws.com closed. mymacbook:.ssh UXXXXXX$ ``` And again - no logs in CloudWatch.

Hello, I'm interested in using AWS Transfer for SFTP to replace a number of aging SFTP servers that have hundreds of users and rely on local linux account authentication and chrooting for security. I have spent a lot of time looking over this forum and the AWS documentation for the SFTP offering. I have a number of concerns I'm hoping can be addressed by the community: 1. Is there a custom identity provider I can plugin to today that allows a mixture of password authentication, SSH key authentication **and** allows end-users to perform self-service password resets? We have hundreds of users (password auth) as well as service/automated accounts (SSH key auth). Secrets Manager will allow both auth methods, but there doesn't seem to be a way for end users to have direct control over their passwords or perform self-service resets. Additionally, administrators with access to Secrets Manager would have access to the plaintext version of passwords, which is not a security best practice. https://aws.amazon.com/blogs/storage/enable-password-authentication-for-aws-transfer-for-sftp-using-aws-secrets-manager/ Identity is one of the most important pieces of the solution and it happens to be more complex with AWS SFTP than any other solution on the market today when you factor in real-world use cases of mixed authentication, security requirements, and being forced to use API Gateway, Lambda functions, etc. 2. Is there any solution that will allow for whitelisting IP access to the server which doesn't add significantly to the complexity/cost of the solution? If not, then how are we supposed to address risks of having an internet-accessible server (bruteforce attempts)? Based on the documentation, to enable whitelisting, I would need: -a VPC -an NLB with an elastic IP -a firewall in front of all that There is no formal documentation on how to setup all the pieces above and have it work successfully, and I'm not sure anyone has done it yet who can demonstrate it will actually work. It would be great to have these addressed with a solution today, or see if AWS is working on functionality.

We have setup the AWS Transfer for SFTP service and we are able to successfully connect via sftp. We have a need for the service to accept transfers via SCP, but initial tests are unsuccessful. Does the service not currently support transferring files via SCP, or is this a configuration issue on our side? Thanks!

Does anyone know if it is possible to get the hostname used to connect to the SFTP inside the Custom Identity Provider? The host name is something that could be used in the authentication process. Also, the documentation suggests that multiple hostname(s) are possible. However, the examples I've seen suggest the config of only one. Are multiple hostnames suppported for a single SFTP server? Thanks.

Hi, I've got a server setup with a custom identity provider running a lambda function. With only a Role defined in the response, my user can log in (but of course has more access than is desired). When I add the Policy inline to the lambda response, the login fails. Testing with test-identity-provider yields 200 success when no Policy is defined. However, when a Policy is defined (it seems any policy, with or without variables) testing with test-identity-provider I get the following: "Message": "Unable to call identity provider: Unable to unmarshall response (We expected a VALUE token but got: START_OBJECT). Response Code: 200, Response Text: OK", "StatusCode": 500, The policy I'm using is not special, just an example found online: ``` const policy = { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "in/${transfer:UserName}/*", "in/${transfer:UserName}" ] } } }, { "Sid": "AWSTransferRequirements", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}/*" } ] }; ``` and later: ``` response = { Role: 'my_role_arn', Policy: policy, HomeDirectory: '/my-bucket/in/myuser', }; ``` Anybody got any hints about what I'm doing wrong? Thanks. Edited by: TTF2019 on Apr 13, 2019 5:10 AM

I'm trying to set up this new functionality to have a static IP: "Additionally, you can now deploy a network load balancer (NLB) that uses your SFTP server’s VPC endpoint to associate Elastic IPs, enabling your end users to whitelist your SFTP server’s IP addresses." I have setup a vpce and configured the sftp server following this guide <https://docs.aws.amazon.com/transfer/latest/userguide/create-server-vpc.html> But when I configure the NLB I get stuck at how to set the target to the vpce. I've tried adding the vpce IP, but only get target "unhealthy". Should I address the vpce target in some other way, or should I apply some special security group settings (I currently use the vpc default group)? Or is there something else that I should be looking into?

Hello, I'd like to ask what is the recommended way for bulk import of files into the AWS Transfer service. We'd like to migrate all files from one of our current SFTP servers into the AWS S3 bucket using Transfer server and use that transfer server for future sftp uploads. What would you recommend to use for such use case. I'm not sure if it's possible to use tools like rsync, since it seems that rsync needs remote ssh shell on the sftp server to do that, but AWS Transfer doesn't seem to allow that. Is it possible to utilize rsync here or is there any other way? Thanks