AWS Transfer Family pricing, explained (and how to cut it)

AWS Transfer Family is the obvious way to put managed SFTP in front of Amazon S3, it’s first-party and it works. The surprise is the bill, because the pricing model charges you for availability, not just usage. If you’re running a low-volume endpoint, the fixed cost can dwarf what you’d expect.

Here’s how the pricing actually works, and where the money goes.

Prices below are approximate and change over time and by region. Always confirm against the official AWS Transfer Family pricing page before you budget.

The two charges

AWS Transfer Family has two main line items:

1. Protocol-hour charge. You pay an hourly rate for each protocol you enable on an endpoint, SFTP, FTPS, and FTP are billed separately, for every hour the endpoint exists, whether or not anyone connects. At roughly $0.30 per protocol per hour, a single always-on SFTP endpoint is about $0.30 × 24 × 30 ≈ $216/month before a single byte moves.
2. Data charge. You then pay per gigabyte uploaded and downloaded, on the order of $0.04/GB each way.

So the mental model is: a fixed ~$216/month per protocol just to keep the door open, plus a few cents per GB through it.

A worked example

Say you run one SFTP endpoint to receive files from a handful of partners, about 100 GB of uploads and 20 GB of downloads a month:

Item	Rough cost
SFTP endpoint (1 protocol, always on)	~$216
120 GB transferred (up + down)	~$5
Total	~$221/month

Notice the data is almost a rounding error. You’re paying for the endpoint to exist, not for the work it does. For a low-volume “one partner, a few files a day” workload, that’s a poor ratio.

The costs people miss

The protocol-hours are only the visible part. To get a production-grade setup you also spend engineering time on:

• IAM policies, authoring and maintaining the scoped roles that map each user to a bucket prefix.
• VPC / endpoint configuration if you want it private.
• CloudWatch wiring to get a usable audit trail of who connected and what moved, it isn’t presented for you out of the box.
• Route 53 / custom hostname setup if partners need a stable, branded endpoint.

None of that shows on the AWS invoice, but it’s real cost the first time you set it up and every time something changes.

How to cut it

A few options, depending on where the pain is:

• Disable protocols you don’t use. Every enabled protocol is its own hourly charge. If you only need SFTP, don’t leave FTPS on.
• Don’t run idle endpoints. Because you pay per hour of existence, an endpoint kept “just in case” is pure waste. Tear down what you’re not using.
• Use a flat-priced managed gateway instead. A bring-your-own-bucket gateway like Firepipe runs the SFTP-to-S3 translation for you, keeps the files in your own bucket, and prices on throughput rather than per-endpoint-hour, so a low-volume endpoint costs a flat $19/mo rather than ~$216, with the per-user credentials, path jails, and audit trail included rather than assembled. See the AWS Transfer Family alternative comparison for the details.
• Self-host if you genuinely want zero vendor in the path and don’t mind operating a server, though factor in the maintenance time, which is its own cost.

The bottom line

AWS Transfer Family’s pricing rewards high, steady volume on a few endpoints and punishes low-volume or bursty workloads, because the fixed protocol-hour charge dominates until your data volume is large. If your endpoint sits mostly idle between partner uploads, you’re paying premium rates for availability you’re not using, and a flat-priced gateway, or self-hosting, will almost always be cheaper.

Want the same managed experience without the endpoint-hour tax? See how Firepipe does SFTP to S3.