Secure File Exchange Modernization with AWS Transfer Family
Replacing a legacy SFTP/FTPS server with FedRAMP-aligned AWS Transfer Family for IP-restricted, audit-ready secure file exchange.
A federal agency replaced its legacy SFTP/FTPS infrastructure with a managed, FedRAMP-aligned AWS Transfer Family architecture supporting strict IP allowlists, end-to-end encryption, and zero EC2 footprint.
Challenge
A federal agency operated a legacy FTP server to manage secure data exchanges across departments and partner entities. The system had grown organically over many years, and the cost to keep it running — both in operations and in compliance evidence — was steadily rising while its security posture was not.
The replacement needed to satisfy a specific set of constraints. It had to be FedRAMP-aligned. It had to scale without manual capacity planning. And it had to enforce strict IP allowlisting at the network layer, restricting transfers to a known set of partner addresses rather than relying on application-level checks alone.
Solution
One Dynamic implemented a managed, cloud-native architecture built on AWS Transfer Family. The design uses native AWS services for every layer of the stack — network isolation, identity, encryption, observability, and automation — and is provisioned end-to-end through Terraform so the entire environment can be reproduced from source control.
Endpoint Configuration
AWS Transfer Family SFTP endpoints provide the protocol surface, replacing the legacy FTP server with a managed service that scales without dedicated EC2 capacity.
Network Isolation
VPC interface endpoints route traffic privately within AWS, keeping file transfers off the public internet. Security Groups and Network ACLs enforce the IP allowlist at multiple layers, so a misconfiguration in one is caught by the other.
Identity and Access
IAM roles bound to per-user policies provide fine-grained access control, with MFA required for administrative operations. Each user’s effective permissions are derived from the Transfer Family service rather than maintained on an underlying file server, so credential sprawl is no longer a concern.
Encryption
PGP encryption protects data at rest and in transit, complementing the transport-layer encryption provided by SFTP. Key management is handled in AWS, and rotation policies are codified in the Terraform configuration.
Observability
CloudTrail captures every administrative action and CloudWatch captures runtime activity, producing the audit evidence federal compliance reviews require without manual log aggregation.
Automation
Lambda functions triggered by EventBridge rules handle post-transfer processing — file routing, notification, and downstream system integration — without persistent compute. The handlers are deployed alongside the rest of the infrastructure as code.
Results
The new platform produced measurable improvements across operations, compliance, and cost:
- 60% reduction in operational overhead. Day-to-day administration shifted from server management to service configuration.
- Full compliance with FedRAMP and internal audit requirements. Audit evidence is generated automatically by CloudTrail and CloudWatch rather than collected ad hoc.
- Layered security. IP allowlisting, VPC isolation, and PGP encryption work together rather than depending on any single control.
- Zero EC2 footprint. The architecture uses fully managed services exclusively, removing both the patching burden and the upfront infrastructure investment.
- Pay-as-you-go cost profile. Costs scale with actual transfer volume rather than with provisioned capacity, eliminating the long-running idle-server expense of the legacy deployment.
Architectural Notes
Two design decisions in this architecture are worth calling out, because they generalize beyond this specific engagement.
The first is the choice of AWS Transfer Family over a self-managed SFTP service running on EC2. A self-managed deployment would have given the team more configuration flexibility, but at the cost of operational responsibility — patching, scaling, high-availability configuration, and audit-evidence collection all become the agency’s problem. AWS Transfer Family pushes those concerns into the managed service, where they can be satisfied with provider-issued attestations rather than maintained internally. For a workload whose value is in the data being moved rather than in the file server itself, that is the right trade.
The second is the use of Terraform for the entire stack. Provisioning every component — endpoints, network policies, IAM, encryption, automation — through code means the environment can be re-created on demand, audited by reading the source, and changed through a reviewed pull request rather than a console click. In federal contexts, where reproducibility and auditability are not optional, this is what makes the difference between an architecture that holds up to a security review and one that quietly drifts after deployment.
Ready to discuss your next project?
Contact One Dynamic to explore how we can help your organization.
CONTACT ONE DYNAMIC