When evaluating SFTP solutions for your cloud infrastructure, AWS Transfer Family might seem like the obvious choice. It’s built right into AWS, fully managed, and promises to eliminate the hassle of running and maintaining your own servers. But before you commit, you need to understand some critical limitations — and some hidden costs that don’t show up until you’re already deep into your deployment.
This guide breaks down everything that actually matters when comparing AWS Transfer Family vs. SFTP Gateway: authentication, file handling, management, pricing, support, and which one is the right fit for your situation.
The Core Difference: Managed vs. Purpose-Built
AWS Transfer Family is a general-purpose managed file transfer service — one item in a long list of AWS services. It gets files into and out of S3, but it was not designed to be a complete, self-contained SFTP management solution. The moment you need anything beyond the basics, you’re writing Lambda functions, configuring IAM policies, and spinning up Docker containers.
SFTP Gateway is purpose-built for SFTP. Every feature — user management, authentication, folder permissions, audit logging, IP whitelisting — is built into the application and manageable through a web admin portal. You don’t need to string together other services to get a working SFTP environment.
That difference in philosophy touches everything else in this comparison.
Authentication
AWS Transfer Family supports key-based authentication out of the box, but password authentication is not provided through the web interface. If you need passwords — and most organizations do, because partners and vendors often can’t manage SSH keys — you have to implement a custom Lambda function that authenticates against AWS Secrets Manager. What should be a checkbox is now a custom development project.
SFTP Gateway supports both password and key-based authentication through its web admin portal, with no custom code required. You can mix both methods across users. It also supports unlimited SSH keys per user (versus 10 in Transfer Family), allows you to import existing server host keys, and gives you root access to configure additional authentication methods if needed.
File Handling and S3 Integration
This is a technical detail that matters a lot for anyone processing files via S3 events, and it’s something the two products handle very differently.
AWS Transfer Family writes files directly to S3 as they upload. For SFTP clients that support partial file uploads (like WinSCP and FileZilla), this means S3 will receive .filepart temporary files that trigger S3 events mid-transfer. Your downstream event handlers have to deal with incomplete files.
SFTP Gateway only writes a file to S3 after it is completely finished uploading to the server. No partial files ever reach S3. This makes it much simpler to build reliable S3-event-driven pipelines — you know that any file triggering an event is complete.
SFTP Gateway also supports end-to-end MD5 verification: a user can upload an MD5 checksum alongside their file, and SFTP Gateway verifies the entire transfer from the user’s machine all the way through to S3. AWS Transfer Family’s MD5 verification only covers the server-to-S3 leg, not the client-to-server leg.
Management and Administration
AWS Transfer Family has a web interface, CLI, and API for configuring endpoints and users. But it doesn’t have a full admin portal in the traditional sense. Tasks that should take 30 seconds require significant technical knowledge:
- Folder permissions require writing IAM policies that enumerate folder hierarchies — not something a non-technical admin can handle.
- Password resets require updating secrets in Secrets Manager.
- IP whitelisting requires configuring VPC endpoint policies or other AWS-level controls.
AWS does offer an open-source web portal for Transfer Family, but it’s not a product — it’s a CloudFormation template that deploys Docker containers behind a load balancer. You own the maintenance and security of that application.
SFTP Gateway includes a comprehensive web admin portal out of the box. Non-technical staff can create users, assign passwords or keys, set folder permissions, apply IP whitelisting rules, and handle day-to-day administration without involving engineering. This isn’t a small thing — the engineering overhead of managing Transfer Family at scale is one of its largest hidden costs.
Static IP and Network Access Controls
AWS Transfer Family endpoints do not have a static IP address. This creates two problems: you can’t create firewall rules that restrict inbound traffic to specific clients, and your partners’ IT teams can’t whitelist your SFTP server’s IP in their outbound firewall policies. For organizations with strict network security requirements, this is often a deal-breaker.
SFTP Gateway runs on an EC2 instance with a static IP (or Elastic IP). You can configure AWS Security Groups to restrict which IP addresses can connect to port 22, and your partners can whitelist your server’s IP in their own firewall rules. Full network-level access control on both ends.
Protocol Support
AWS Transfer Family supports SFTP, FTPS, and FTP as separate protocol options (each billed separately at $0.30/hr per protocol).
SFTP Gateway supports SFTP natively and can be configured to support FTPS via vsftp — at no additional per-protocol charge.
Pricing: The Real Numbers
This is where the difference becomes most visible. AWS Transfer Family’s pricing has multiple components that compound quickly.
AWS Transfer Family costs:
- $0.30/hr per protocol — always on, whether or not anyone is transferring files. That’s $216/month just for the endpoint, before a single byte moves.
- $0.04/GB uploaded and downloaded — note that AWS typically doesn’t charge for data ingress, but Transfer Family does. If your workload involves large file archives (media files, backups, data feeds), this adds up fast.
- $0.40/secret/month in Secrets Manager for every user with password authentication. 100 users with password auth = $40/month just for credential storage.
- Standard S3, VPC, Route 53, CloudTrail, and CloudWatch costs on top.
SFTP Gateway costs:
SFTP Gateway is licensed annually per instance. Choose the tier that fits your user count:
| Plan | Annual Price | Users | Monthly Data | Support |
|---|---|---|---|---|
| Standard | $999/yr per instance | Up to 10 | 100 GB | |
| Professional | $2,999/yr per instance | Up to 100 | 10 TB | High Priority |
| Enterprise | $9,999/yr per instance | 1,000+ | 100 TB | SLA + Priority |
- Plus the cost of the underlying EC2 instance (~$30/month for a t3.medium, ~$60/month for an m5.large).
- No per-GB ingress charges — SFTP Gateway writes directly to S3, so standard S3 ingress (free) applies.
- Standard S3 and AWS infrastructure costs.
Side-by-side examples
Light use: 10 users, 1 GB downloaded per day (Standard plan)
| Option | Monthly Cost |
|---|---|
| AWS Transfer Family | ~$221 |
| SFTP Gateway Standard (single instance) | ~$113 |
| SFTP Gateway Standard (HA, 2 instances + NLB) | ~$246 |
SFTP Gateway is 49% cheaper for single-instance deployments at this scale. For HA, costs are comparable — and you gain a static IP, full admin portal, and no engineering overhead.
AWS Transfer Family breakdown: $216/month protocol + $1.20 data transfer + $4 Secrets Manager = ~$221. SFTP Gateway: $83/month license + ~$30 EC2.
High data volume: 50 users, 200 GB uploaded + 100 GB downloaded per day (Professional plan)
| Option | Monthly Cost |
|---|---|
| AWS Transfer Family | ~$596 |
| SFTP Gateway Professional (single instance) | ~$310 |
| SFTP Gateway Professional (HA, 2 instances + NLB) | ~$640 |
SFTP Gateway is 48% cheaper for single-instance production at this data volume. For HA, costs are comparable to AWS Transfer Family — but include a static IP, built-in admin portal, no per-GB charges, and no Lambda engineering required.
AWS Transfer Family breakdown: $216 protocol + $240 upload charges + $120 download charges + $20 Secrets Manager = ~$596. SFTP Gateway: $250/month license + ~$60 EC2.
Note: EC2 pricing varies by instance type and region. These figures use on-demand t3.medium (light) and m5.large (heavy data) pricing as representative examples. SFTP Gateway license pricing from thorntech.com/sftp-gateway. Always verify current pricing before finalizing a comparison for your use case.
Support
AWS Transfer Family support requires purchasing an AWS support plan — you can’t email AWS for help without one. Beyond that, you’re navigating AWS documentation and community forums.
SFTP Gateway includes free email developer support (response within 24 hours, typically faster). Paid advanced support tiers are available for screen sharing and phone support. A comprehensive knowledge base and YouTube channel with quick-start guides are available 24/7.
Feature Comparison Summary
| Feature | AWS Transfer Family | SFTP Gateway |
|---|---|---|
| Password authentication | Lambda + Secrets Manager required | Built-in, no code required |
| Key-based authentication | ✅ (up to 10 keys/user) | ✅ (unlimited keys/user) |
| Import existing server host keys | ❌ | ✅ |
| Web admin portal | Open-source self-hosted only | ✅ Built-in |
| Folder permissions management | IAM policy required | Web UI |
| IP whitelisting | Complex (VPC endpoint policies) | Simple (Security Groups) |
| Static IP | ❌ | ✅ |
| Partial file protection | ❌ (.filepart files reach S3) | ✅ (complete files only) |
| End-to-end MD5 verification | Partial (server→S3 only) | ✅ (client→S3) |
| FTPS support | Separate protocol (extra $0.30/hr) | Via vsftp, no extra charge |
| Cross-cloud storage | S3 only | S3, Azure Blob, Google Cloud Storage |
| Per-GB ingress charge | $0.04/GB | None |
| Secrets Manager cost per user | $0.40/user/month | None |
| Free developer support | ❌ | ✅ |
Who Should Use Which
AWS Transfer Family makes sense if:
- You have a simple use case with key-based authentication only and no need for password users
- You’re already deeply integrated into AWS managed services and want zero server management
- Your team has the engineering bandwidth to build and maintain custom Lambda functions and IAM policies
- You’re only handling small data volumes (ingress charges are less relevant)
SFTP Gateway makes sense if:
- You have external partners, vendors, or clients who use password authentication
- You need non-technical staff to manage users day-to-day
- Your workload involves large file transfers (no per-GB ingress charges)
- You need a static IP for firewall rules on either end
- You’re transferring files to Azure Blob or Google Cloud Storage as well as S3
- You want predictable, lower costs and free developer support
The Bottom Line
AWS Transfer Family is a capable service, but it was built as an AWS primitive — not as a complete SFTP management solution. The gap shows the moment you need password authentication, folder-level permissions, a real admin UI, or reliable downstream S3 event processing. By the time you’ve built those features yourself, you’ve spent more in engineering time than the service will ever save you in infrastructure.
SFTP Gateway was designed specifically for the real-world requirements of SFTP environments: external partners with varying technical capabilities, non-technical admins, compliance requirements, and predictable costs. For most organizations managing SFTP at any meaningful scale, it’s a faster, cheaper, and more maintainable solution.
Ready to try it? Start a 30-day free trial of SFTP Gateway on AWS Marketplace. For pricing details on Standard, Professional, and Enterprise, see the SFTP Gateway pricing page.
