AWS recently launched AWS Transfer for SFTP (or AWS SFTP, for short), a fully-managed service that transfers files into and out of Amazon S3 via SFTP.

Sound familiar?

Of course it does – it’s very similar to our file transfer product, SFTP Gateway!

Both products use SSH to transfer files from your local environment into S3.

While the two products are alike, there are certainly some important differences in how each product works, the features they have, and how much they cost.

Let’s go over some of these differences so you can determine which is the right fit for you.

SFTP Gateway vs AWS SFTP blog image

Feature comparisons

Access to S3 and S3 event behaviors

AWS SFTP provides access to specific S3 buckets and prefixes per user. Users can then use SFTP to upload, download, and delete files to and from these buckets.

By default, SFTP Gateway provides an uploads folder and downloads folder for each user. When a file is finished uploading, it is moved to S3 and deleted from the server. The downloads folder syncs its contents from a specified S3 location to provide access to files for a user. The user does not have direct access to S3, but SFTP Gateway can be configured to provide more or less access to users.

AWS SFTP directly uploads files to the S3 location. For SFTP clients that support partial file uploads, such as WinSCP and Filezilla, the S3 location will contain filepart files that will fire S3 events. You will then need to handle these in the S3 event listener.

On the other hand, SFTP Gateway uploads files to the S3 location only when they are finished uploading to the server. It does not transfer filepart files; only the completed file will be transferred to S3, making it easier to know when files are complete and available via S3 events.

AWS SFTP uses MD5 hashes to verify that the files on the server make it to S3 completely, but does not verify that the file made it from the user’s machine to the server. SFTP Gateway allows MD5 verification that allows a user to upload an MD5 sum of the file first to ensure the entire file makes it all the way from their machine to S3.

User authentication methods

AWS SFTP supports common user authentication systems, including MS Active Directory, LDAP, or user authentication within the service. However, this authentication needs to be setup using custom development and API Gateway endpoints.

SFTP Gateway uses a clustered directory service named 389 built into the SFTP Gateway servers. It can be configured to use an external LDAP directory service.

Both allow authentication with SSH keys.

With AWS SFTP, you can use up to 10 SSH keys per user and rotate keys, but you cannot import existing host keys.

SFTP Gateway allows an unlimited number of SSH keys per user with APIs to rotate and change keys. And importing of existing host keys is a standard feature.

SFTP Gateway gives you root access to the EC2 instances to enable other types of authentication, including password authentication. With AWS SFTP, password authentication is not provided within the service, but can be supported using an alternative identity provider.

High availability and autoscaling

AWS SFTP provides full redundancy across multiple Availability Zones within an AWS Region. SFTP Gateway provides HA using a network load balancer and autoscaling group.

AWS SFTP uses elastic resources to auto-scale based on workload. SFTP Gateway uses autoscaling to ensure high availability by default. The autoscaling group can be configured using standard AWS techniques to monitor and respond to CloudWatch metrics to scale up and down.

User interface

AWS SFTP has web, API, and CLI interfaces that let you configure your SFTP endpoint and set up client access. It also supports FTP clients like WinSCP and FileZilla.

SFTP Gateway also has web, API, and CLI interfaces to configure your instance and create and edit users. It also supports FTP clients like WinSCP and FileZilla.

Server endpoint access

AWS SFTP provides a way to map domains using Route 53 and other DNS providers. It also allows specifying domain names and custom authentication via API Gateway endpoints.

But AWS SFTP endpoints do not have a static IP address. So it is not possible to create firewall rules that only allow inbound traffic from specific clients or customers. Similarly, your clients’ security policies may restrict outbound internet traffic from their network. Since AWS SFTP does not have a static IP address, it is not possible for your clients to whitelist traffic to the SFTP server.

SFTP Gateway can be configured to use custom domains by pointing an A or CNAME DNS record at the EC2 instance. It is a manual process but the domains are fully customizable since you have root access to SFTP Gateway. The server can be fully customized for your needs, even allowing creation of AMIs of your custom server. The CloudFormation templates can be customized to fit into your existing network.

Security and compliance

AWS SFTP and SFTP Gateway use similar technologies (SSH, S3), so they are alike with respect to security and compliance. Both use CloudWatch for audit logging.

AWS SFTP allows setting custom roles per user to lock down permissions to S3. SFTP Gateway allows setting roles per SFTP Gateway instance, but also has security in place to prevent users from accessing unauthorized S3 data.

Since SFTP Gateway provides access to the EC2 instances and CloudFormation templates, you can configure security groups and subnets that help strengthen your security. AWS SFTP is always globally available and cannot be placed into one of your subnets.

FTP and FTPS

AWS SFTP does not accommodate the use of FTP or FTPS.

SFTP Gateway allows you to enable FTPS using vsftp. Other protocols can be enabled by modifying the EC2 instance.

Pricing

Pricing is another aspect that is very different between the two products. We’ll break down the pricing with an overview of each product’s prices and a couple of examples.

Pricing overview

AWS SFTP costs:

  • $0.30 for each hour the SFTP endpoint is provisioned
  • $0.04 per GB uploaded and downloaded via SFTP
  • Standard charges for S3 usage, AWS data transfer rates for data transferred in and out of AWS SFTP, your VPC, and PrivateLink, SFTP domain name lookups using Route53, API Gateway for access to your identity datastores, CloudTrail, and CloudWatch Logs and Events.

SFTP Gateway costs:

  • $0.07 for each hour the SFTP server is running (this pricing is for SFTP Gateway 2.0, which is in beta testing right now)
  • The cost of the EC2 instance you run
  • Standard charges for S3 usage, AWS data transfer rates for data transferred in and out of SFTP Gateway, your VPC, and PrivateLink, SFTP domain name lookups using Route53, API Gateway for access to your identity datastores, CloudTrail, and CloudWatch Logs and Events.

Cost examples

Let’s walk through a couple of use cases to illustrate the pricing differences. These examples were taken from AWS SFTP’s pricing page.

Note: we believe that the standard charges for S3 usage, data transfer, and other services will be similar for both products, so they are not included in the cost calculations. And these price calculations are approximations, so don’t hold us to anything!

Example 1: Light use

Let’s say you have 20 end users who download a total of 1 GB of data per day. Here’s a table that provides a high-level overview of pricing:

SFTPGW vs AWS SFTP light use pricing

As you can see in the table above, for the light use case, SFTP Gateway is 18-63% cheaper than AWS SFTP.

Here are the breakdowns for each option.

AWS SFTP pricing can be broken down as such:

  • Endpoint fee:
    • $0.30 * 24 hours * 30 days = $216
  • Data upload and download fee:
    • $0.04 * 1 GB/day * 30 days = $1.20
  • Total = $216 + $1.20 = $217.20 per month

If you go with a single instance of SFTP Gateway, your pricing might look like this:

  • Endpoint fee:
    • $0.07 * 24 hours * 30 days = $50.40
  • EC2 cost (t3.medium, on-demand pricing):
    • $0.0416 * 24 hours * 30 days = $29.95
  • Data upload and download fee:
    • N/A
  • Total = $50.40 + $29.95 = $80.35 per month

If you go with a highly-available version of SFTP Gateway, you pricing might look like this:

  • Endpoint fee:
    • $0.07 * 24 hours * 30 days * 2 instances = $100.80
  • EC2 cost (t3.medium, on-demand pricing):
    • $0.0416 * 24 hours * 30 days * 2 instances = $59.90
  • Data upload and download fee:
    • N/A
  • Other costs
    • Network Load Balancer
      1. 1 GB/day = $16.69
    • Elastic File System
      1. $0.30 per GB/month but is only necessary to store downloaded files
  • Total = $100.80 + $59.90 + $16.69 = $177.39 per month + EFS fees, if necessary

You can save more money if you subscribe to the SFTP Gateway annual plan and pay upfront for a reserved EC2 instance:

  • Endpoint fee:
    • $549/year * 2 instances / 12 months = $91.50
  • EC2 cost (t3.medium, reserved pricing)
    • $213 * 2 instances / 12 months = $35.50
  • Data upload and download fee:
    • N/A
  • Other costs
    • Network Load Balancer
      1. 1 GB/day = $16.69
    • Elastic File System
      1. $0.30 per GB/month but is only necessary to store downloaded files
  • Total = $91.50 + $35.50 + $16.69 = $143.69 per month + EFS fees, if necessary
Example 2: Heavy use

Now let’s say your organization transfers or receives lots of files via SFTP. You have 1000 end users who upload 100 GB/day and download 50 GB/day. Pricing for each product might look like this:

SFTPGW vs AWS SFTP heavy use pricing

For the heavy use case, SFTP Gateway is 28-70% cheaper than AWS SFTP.

AWS SFTP pricing can be broken down as such:

  • Endpoint fee:
    • $0.30 * 24 hours * 30 days = $216
  • Data upload and download fee:
    • ($0.04 * 100 GB/day * 30 days (uploads)) + ($0.04 * 50 GB/day * 30 days (downloads)) = $120 +$60 = $180
  • Total = $216 + $180 = $396 per month

If you go with a single instance of SFTP Gateway, your pricing might look like this:

  • Endpoint fee:
    • $0.07 * 24 hours * 30 days = $50.40
  • EC2 cost (m5.large, on-demand pricing):
    • $0.096 * 24 hours * 30 days = $69.12
  • Data upload and download fee:
    • N/A
  • Total = $50.40 + $69.12 = $119.52 per month

If you go with a highly-available version of SFTP Gateway, you pricing might look like this:

  • Endpoint fee:
    • $0.07 * 24 hours * 30 days * 2 instances = $100.80
  • EC2 cost (m5.large, on-demand pricing):
    • $0.096 * 24 hours * 30 days * 2 instances = $138.24
  • Data upload and download fee:
    • N/A
  • Other costs
    • Network Load Balancer
      1. 150 GB/day = $43.92
    • Elastic File System
      1. $0.30 per GB/month but is only necessary to store downloaded files
  • Total = $100.80 + $138.24 + $43.92 = $282.96 per month + EFS fees, if necessary

Again, going with an SFTP Gateway annual plan and reserved EC2 instance will save you more:

  • Endpoint fee:
    • $549/year * 2 instances / 12 months = $91.50
  • EC2 cost (m5.large, reserved instance):
    • $501/year * 2 instances / 12 months = $83.50
  • Other costs
    • Network Load Balancer
      1. 150 GB/day = $43.92
    • Elastic File System
      1. $0.30 per GB/month but is only necessary to store downloaded files
  • Total = $91.50 + $83.50 + $43.92 = $218.92 per month + EFS fees, if necessary

Support

We’re sure that AWS will provide great support for their SFTP product but can’t really speak to how good it is.

All we can say is that we’ve been praised for our responsive, helpful support.

We guarantee an email response within 24 hours, and typically respond much sooner than that. We go above and beyond to solve our customer’s problems. And we have multiple support options that will help you get the most out of SFTP Gateway.

Conclusion

While AWS SFTP and SFTP Gateway are similar products, there certainly are differences where one product may work better for your organization. We hope that this blog post shed some light on which may be the better fit for you.

If you have any questions, either comment on this post or email us at support@thorntech.com. We’d love to hear from you.