The first step is to subscribe to the SFTP Gateway product on its AWS Marketplace page. This will launch the SFTP Gateway EC2 instance.

This article assumes you are connecting using Windows. If you are trying to connect using Linux / OSX, click here.

CloudFormation Setup

Setup with AWS CloudFormation is recommended. Click here to download the CloudFormation template.

To set up the SFTP Gateway server using CloudFormation, navigate to the CloudFormation console and click "Create Stack". Upload the SFTP Gateway CloudFormation template and specify the details of your instance.

SSH with PuTTY (Without CloudFormation)

If you are not using the CloudFormation template, then certain AWS resources must be configured after first launching the instance. Before continuing, make sure your EC2 instance has an IAM Role with the AmazonS3FullAccess policy. This is necessary for proper setup of the S3 bucket.

PuTTY does not natively support the PEM format that AWS uses, so you need to first convert your .PEM file to a .PPK file (PPK = PuTTY Private Key). To do this, you use the PuTTYgen utility packaged with PuTTY.


  1. Open PuTTYgen and click Load to browse for your .PEM key. When browsing for the key, be sure to select All Files in the dropdown menu. Click Openwhen you have selected your key.
  2. PuTTYgen will now convert your key to the proper filetype.
  3. To save your new PPK key, click Save private key.

You are now ready to SSH in to the server with PuTTY using the new .PPK key.


  1. Open PuTTY and select SSH as the connection type.
  2. In the Host Name field, enter ec2-user@<public ip>
  3. Expand the SSH section on the left, and click on Auth.
  4. Click on Browse to browse for the .PPK key, and click Open when you have selected it.
  5. To launch the SSH session, click Open.

You are now ready to begin the manual setup.

Manual Setup

If you did not use the AWS CloudFormation template, SSH in and run the following command to setup the S3 bucket and other necessary properties:sudo sftpgatewaysetup.

Adding and Removing Users

The AMI comes preloaded with administration commands to add and delete users.

From the primary ec2-user user account, run the following command to add a new user: sudo addsftpuser <username>. Running this command will do the following things: - Create the new Linux user - Disable the users login shell so they can only SFTP and not SSH to the server - Setup the appropriate home directory for SFTP - Create user's new SSH key and email the key to a chosen address

Uploads will only occur within the user's upload directory.

Users can be deleted by running the following command from the primary ec2-user account sudo deletesftpuser <username>. The user's account, their SSH key, and their home directory along with everything in it, will be deleted. Be sure to backup the home directory before running this command if you want to keep the files.

Connecting as a User

When creating a new user, the user's SSH key is emailed to a chosen address. In order to SFTP into the server as that user, you need to convert the emailed plaintext key into a usable .PEM key.

  1. Open a text editor (such as Wordpad) and paste the contents of the email, including the start and end tags.
  2. save the file as userPrivateKey.pem
  3. You can now SFTP into the server as the new user using this key.

SFTP with FileZilla

To log into the SFTP Gateway server using FileZilla, follow the GIF below. Be sure to enter the username for the user, the instance's public IP for the host, "key file" for the logon type, and select the userPrivateKey.pem you created in the last step.


SFTP with WinSCP

To log into the SFTP Gateway server using WinSCP, enter the username for the user name, the instance's public IP for the host name, and "SFTP" for the file protocol.


Note: "Transfer resume" must be disabled to properly transfer files when using WinSCP. Click Preferences, and open the Endurance section. Click Disable as shown.


Click Advanced, then click Authentication. Select the userPrivateKey.pem you created in the last step. A dialog will appear asking if you want to convert the .PEM file to a .PPK file, click Ok and save the file. Select the newly converted key and click Ok.


To connect to the SFTP Gateway server, click Login.