Guide

How to migrate from AWS Transfer Family to a flat-priced SFTP gateway

Moving off AWS Transfer Family is mostly painless because your files already live in your S3 bucket. Here's the step-by-step cutover, what changes, and what to watch for.

The good news about leaving AWS Transfer Family: there’s no data to migrate. Both Transfer Family and a bring-your-own-bucket gateway like Firepipe sit in front of the same S3 bucket, so your files never move. You’re swapping the front door, not relocating the house. That makes this one of the lowest-risk migrations you’ll do.

Here’s why people leave, and exactly how to cut over.

Why migrate

The usual reason is the bill. Transfer Family charges an hourly fee for each protocol you enable, whether or not anyone connects, plus a per-GB data charge. For a low-volume endpoint, that fixed cost dominates. There’s also the setup burden: hand-written IAM policies, VPC/endpoint config, and CloudWatch wiring just to get an audit trail. The full breakdown is in AWS Transfer Family pricing, explained.

What stays the same

  • Your S3 bucket. Same bucket, same objects, same region. Nothing copies or moves.
  • Your data ownership. Files stay in your AWS account throughout.

What changes

  • The hostname your partners connect to (you’ll hand them a new one and cut over).
  • The pricing model: a flat plan plus metered throughput instead of per-protocol-hour.
  • Protocol: Firepipe is SFTP only. If you relied on Transfer Family’s FTPS or FTP, that’s a genuine difference to weigh before you switch.

The cutover, step by step

  1. Connect your existing bucket to the gateway. Grant a scoped, cross-account IAM role (read/write/list on just that bucket). No data moves; the gateway reads and writes the objects already there.
  2. Recreate your users. For each Transfer Family user, create a Firepipe SFTP credential (SSH key or password) and path-jail it to the same prefix it used before, so each partner sees exactly the same folder.
  3. Test in parallel. Both endpoints can point at the same bucket at once. Connect a test user to the new hostname and confirm uploads, downloads, and listings behave.
  4. Cut partners over. Send each partner the new hostname and credentials. Because the bucket and prefixes are identical, their automation only needs the host and login changed.
  5. Decommission Transfer Family. Once traffic has moved, delete the Transfer Family server. The hourly protocol charge stops the moment the endpoint is gone.

What to watch for

  • Source-IP allowlists. If a partner’s firewall pins your old endpoint, coordinate the hostname change. You can pin each Firepipe credential to specific source IPs on the inbound side.
  • SSE-KMS buckets. If your bucket enforces SSE-KMS, grant the gateway kms:Decrypt and kms:GenerateDataKey on the key alongside the bucket policy.
  • Host-key trust. Partners that pin the server’s SSH host key will need the new key fingerprint at cutover. Send it with the new hostname.

The result

Same bucket, same files, a flat bill instead of an always-on endpoint charge, and per-user access with an exportable audit trail built in. See the side-by-side on the AWS Transfer Family alternative page, or the SFTP to S3 walkthrough to start.

Try it on your own bucket

Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.

Start free

← All guides