AWS recently launched AWS Transfer for SFTP (or AWS SFTP, for short), a fully-managed service that transfers files into and out of Amazon S3 via SFTP.
Sound familiar?
Of course it does – it’s very similar to our file transfer product, SFTP Gateway for AWS!
Both products use SSH to transfer files from your local environment into S3.
While the two products are alike, there are certainly some important differences in how each product works, the features they have, and how much they cost.
Let’s go over some of these differences so you can determine which is the right fit for you.
Feature comparisons
Access to S3 and S3 event behaviors
AWS SFTP provides access to specific S3 buckets and prefixes per user. Users can then use SFTP to upload, download, and delete files to and from these buckets.
By default, SFTP Gateway for AWS provides an uploads folder and downloads folder for each user. When a file is finished uploading, it is moved to S3 and deleted from the server. The downloads folder syncs its contents from a specified S3 location to provide access to files for a user. The user does not have direct access to S3, but SFTP Gateway for AWS can be configured to provide more or less access to users.
AWS SFTP directly uploads files to the S3 location. For SFTP clients that support partial file uploads, such as WinSCP and Filezilla, the S3 location will contain filepart files that will fire S3 events. You will then need to handle these in the S3 event listener.
On the other hand, SFTP Gateway for AWS uploads files to the S3 location only when they are finished uploading to the server. It does not transfer filepart files; only the completed file will be transferred to S3, making it easier to know when files are complete and available via S3 events.
AWS SFTP uses MD5 hashes to verify that the files on the server make it to S3 completely, but does not verify that the file made it from the user’s machine to the server. SFTP Gateway for AWS allows MD5 verification that allows a user to upload an MD5 sum of the file first to ensure the entire file makes it all the way from their machine to S3.
User authentication methods
AWS SFTP supports common user authentication systems, including MS Active Directory, LDAP, or user authentication within the service. However, this authentication needs to be setup using custom development and API Gateway endpoints.
SFTP Gateway for AWS uses a clustered directory service named 389 built into the SFTP Gateway servers. It can be configured to use an external LDAP directory service.
Both allow authentication with SSH keys.
With AWS SFTP, you can use up to 10 SSH keys per user and rotate keys, but you cannot import existing host keys.
SFTP Gateway for AWS allows an unlimited number of SSH keys per user with APIs to rotate and change keys. And importing of existing host keys is a standard feature.
SFTP Gateway for AWS gives you root access to the EC2 instances to enable other types of authentication, including password authentication. With AWS SFTP, password authentication is not provided within the service, but can be supported using an alternative identity provider.
High availability and autoscaling
AWS SFTP provides full redundancy across multiple Availability Zones within an AWS Region. SFTP Gateway for AWS provides HA using a network load balancer and autoscaling group.
AWS SFTP uses elastic resources to auto-scale based on workload. SFTP Gateway for AWS uses autoscaling to ensure high availability by default. The autoscaling group can be configured using standard AWS techniques to monitor and respond to CloudWatch metrics to scale up and down.
User interface
AWS SFTP has web, API, and CLI interfaces that let you configure your SFTP endpoint and set up client access. It also supports FTP clients like WinSCP and FileZilla.
SFTP Gateway for AWS also has web, API, and CLI interfaces to configure your instance and create and edit users. It also supports FTP clients like WinSCP and FileZilla.
Server endpoint access
AWS SFTP provides a way to map domains using Route 53 and other DNS providers. It also allows specifying domain names and custom authentication via API Gateway endpoints.
But AWS SFTP endpoints do not have a static IP address. So it is not possible to create firewall rules that only allow inbound traffic from specific clients or customers. Similarly, your clients’ security policies may restrict outbound internet traffic from their network. Since AWS SFTP does not have a static IP address, it is not possible for your clients to whitelist traffic to the SFTP server.
SFTP Gateway for AWS can be configured to use custom domains by pointing an A or CNAME DNS record at the EC2 instance. It is a manual process but the domains are fully customizable since you have root access to SFTP Gateway for AWS. The server can be fully customized for your needs, even allowing creation of AMIs of your custom server. The CloudFormation templates can be customized to fit into your existing network.
Security and compliance
AWS SFTP and SFTP Gateway for AWS use similar technologies (SSH, S3), so they are alike with respect to security and compliance. Both use CloudWatch for audit logging.
AWS SFTP allows setting custom roles per user to lock down permissions to S3. SFTP Gateway for AWS allows setting roles per SFTP Gateway for AWS instance, but also has security in place to prevent users from accessing unauthorized S3 data.
Since SFTP Gateway for AWS provides access to the EC2 instances and CloudFormation templates, you can configure security groups and subnets that help strengthen your security. AWS SFTP is always globally available and cannot be placed into one of your subnets.
FTP and FTPS
AWS SFTP does not accommodate the use of FTP or FTPS.
SFTP Gateway for AWS allows you to enable FTPS using vsftp. Other protocols can be enabled by modifying the EC2 instance.
Pricing
Pricing is another aspect that is very different between the two products. We’ll break down the pricing with an overview of each product’s prices and a couple of examples.
Pricing overview
- $0.30 for each hour the SFTP endpoint is provisioned
- $0.04 per GB uploaded and downloaded via SFTP
- Standard charges for S3 usage, AWS data transfer rates for data transferred in and out of AWS SFTP, your VPC, and PrivateLink, SFTP domain name lookups using Route53, API Gateway for access to your identity datastores, CloudTrail, and CloudWatch Logs and Events.
- $0.06 for each hour the SFTP server is running (this pricing is for SFTP Gateway for AWS 2.0)
- The cost of the EC2 instance you run
- Standard charges for S3 usage, AWS data transfer rates for data transferred in and out of SFTP Gateway for AWS, your VPC, and PrivateLink, SFTP domain name lookups using Route53, API Gateway for access to your identity datastores, CloudTrail, and CloudWatch Logs and Events.
Cost examples
Let’s walk through a couple of use cases to illustrate the pricing differences. These examples were taken from AWS SFTP’s pricing page.
Note: we believe that the standard charges for S3 usage, data transfer, and other services will be similar for both products, so they are not included in the cost calculations. And these price calculations are approximations, so don’t hold us to anything!
Example 1: Light use
Let’s say you have 20 end users who download a total of 1 GB of data per day. Here’s a table that provides a high-level overview of pricing:
As you can see in the table above, for the light use case, SFTP Gateway for AWS is 25-66% cheaper than AWS SFTP.
Here are the breakdowns for each option.
AWS SFTP pricing can be broken down as such:
- Endpoint fee:
- $0.30 * 24 hours * 30 days = $216
- Data upload and download fee:
- $0.04 * 1 GB/day * 30 days = $1.20
- Total = $216 + $1.20 = $217.20 per month
If you go with a single instance of SFTP Gateway for AWS, your pricing might look like this:
- Endpoint fee:
- $0.06 * 24 hours * 30 days = $43.20
- EC2 cost (t3.medium, on-demand pricing):
- $0.0416 * 24 hours * 30 days = $29.95
- Data upload and download fee:
- N/A
- Total = $43.20 + $29.95 = $73.15 per month
If you go with a highly-available version of SFTP Gateway for AWS, you pricing might look like this:
- Endpoint fee:
- $0.06 * 24 hours * 30 days * 2 instances = $86.40
- EC2 cost (t3.medium, on-demand pricing):
- $0.0416 * 24 hours * 30 days * 2 instances = $59.90
- Data upload and download fee:
- N/A
- Other costs
- Network Load Balancer
- 1 GB/day = $16.69
- Elastic File System
- $0.30 per GB/month but is only necessary to store downloaded files
- Network Load Balancer
- Total = $86.40 + $59.90 + $16.69 = $162.99 per month + EFS fees, if necessary
You can save more money if you subscribe to the SFTP Gateway for AWS annual plan and pay upfront for a reserved EC2 instance:
- Endpoint fee:
- $479/year * 2 instances / 12 months = $79.83
- EC2 cost (t3.medium, reserved pricing)
- $213 * 2 instances / 12 months = $35.50
- Data upload and download fee:
- N/A
- Other costs
- Network Load Balancer
- 1 GB/day = $16.69
- Elastic File System
- $0.30 per GB/month but is only necessary to store downloaded files
- Network Load Balancer
- Total = $79.83 + $35.50 + $16.69 = $132.02 per month + EFS fees, if necessary
Example 2: Heavy use
Now let’s say your organization transfers or receives lots of files via SFTP. You have 1000 end users who upload 100 GB/day and download 50 GB/day. Pricing for each product might look like this:
For the heavy use case, SFTP Gateway for AWS is 32-72% cheaper than AWS SFTP.
AWS SFTP pricing can be broken down as such:
- Endpoint fee:
- $0.30 * 24 hours * 30 days = $216
- Data upload and download fee:
- ($0.04 * 100 GB/day * 30 days (uploads)) + ($0.04 * 50 GB/day * 30 days (downloads)) = $120 +$60 = $180
- Total = $216 + $180 = $396 per month
If you go with a single instance of SFTP Gateway for AWS, your pricing might look like this:
- Endpoint fee:
- $0.06 * 24 hours * 30 days = $43.20
- EC2 cost (m5.large, on-demand pricing):
- $0.096 * 24 hours * 30 days = $69.12
- Data upload and download fee:
- N/A
- Total = $43.20 + $69.12 = $112.32 per month
If you go with a highly-available version of SFTP Gateway for AWS, you pricing might look like this:
- Endpoint fee:
- $0.06 * 24 hours * 30 days * 2 instances = $86.40
- EC2 cost (m5.large, on-demand pricing):
- $0.096 * 24 hours * 30 days * 2 instances = $138.24
- Data upload and download fee:
- N/A
- Other costs
- Network Load Balancer
- 150 GB/day = $43.92
- Elastic File System
- $0.30 per GB/month but is only necessary to store downloaded files
- Network Load Balancer
- Total = $86.40 + $138.24 + $43.92 = $268.56 per month + EFS fees, if necessary
Again, going with an SFTP Gateway for AWS annual plan and reserved EC2 instance will save you more:
- Endpoint fee:
- $479/year * 2 instances / 12 months = $79.83
- EC2 cost (m5.large, reserved instance):
- $501/year * 2 instances / 12 months = $83.50
- Other costs
- Network Load Balancer
- 150 GB/day = $43.92
- Elastic File System
- $0.30 per GB/month but is only necessary to store downloaded files
- Network Load Balancer
- Total = $79.83 + $83.50 + $43.92 = $207.25 per month + EFS fees, if necessary
Support
We’re sure that AWS will provide great support for their SFTP product but can’t really speak to how good it is.
All we can say is that we’ve been praised for our responsive, helpful support.
We guarantee an email response within 24 hours, and typically respond much sooner than that. We go above and beyond to solve our customer’s problems. And we have multiple support options that will help you get the most out of SFTP Gateway for AWS.
Conclusion
While AWS SFTP and SFTP Gateway for AWS are similar products, there certainly are differences where one product may work better for your organization. We hope that this blog post shed some light on which may be the better fit for you.
If you have any questions, either comment on this post or email us at support@thorntech.com. We’d love to hear from you.