Monitoring SFTP connectors - Amazon Transfer Family
Use the connector API to query the status of file transfer requestsView SFTP connector events in Amazon EventBridgeView SFTP connector logs in Amazon CloudWatchMonitoring VPC egress type connectors
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring SFTP connectors

You can monitor the status of your connector operations using any of the following ways. Choose the approach that meet your needs.

Use the connector API to query the status of file transfer requests

To track the progress of a file transfer operation, you use the ListFileTransferResults API operation, which returns real-time updates and detailed information on the status of each individual file being transferred in a specific file transfer operation. You specify the file transfer by providing its Connector ID and its Transfer ID. The following example returns a list of files for connector ID a-11112222333344444 and transfer-ID aa1b2c3d4-5678-90ab-cdef-EXAMPLE11111.

aws transfer list-file-transfer-results --connector-id a-11112222333344444 --transfer-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Note

File transfer results are available up to 7 days after you call the ListFileTransferResults API operation.

You can also view logs and events for your file transfer requests that use SFTP connectors. Amazon EventBridge events for Transfer Family are described in SFTP connector events. For how to view Transfer Family CloudWatch log entries, see Viewing Transfer Family log streams.

View SFTP connector events in Amazon EventBridge

For each operation performed by SFTP connectors, Transfer Family automatically generates and sends events to the default event bus in your Amazon EventBridge account. The events contain detailed metadata about the operation, including the operation status. You can subscribe to these events in EventBridge, apply filters on specific event criteria such as operation status, and automatically trigger downstream actions based on the status. For details on the events generated by SFTP connector operations, see SFTP connector events.

View SFTP connector logs in Amazon CloudWatch

All SFTP connector operations generate detailed logs in CloudWatch. For example log entries generated by SFTP connectors, see Example log entries for SFTP connectors.

Monitoring VPC egress type connectors

VPC egress type connectors provide additional monitoring capabilities and considerations beyond standard service managed connectors:

Connector status monitoring

VPC_LATTICE connectors include additional information to help you monitor the provisioning and operational state:

  • EgressType field: Shows VPC for VPC_LATTICE egress type connectors

  • EgressConfig field: Contains the Resource Configuration ARN and port information

Monitor connector status using the describe-connector API:

aws transfer describe-connector --connector-id c-1234567890abcdef0

VPC Lattice cost monitoring

VPC egress type connectors incur additional VPC Lattice charges that you should monitor:

  • Resource provider charges: You are billed $0.006/GB for data processing as the resource provider (billed directly by VPC Lattice)

  • Resource consumer charges: Amazon Transfer Family absorbs the $0.01/GB resource consumer costs (first 1 PB)

  • NAT Gateway charges: For public endpoints accessed via VPC, additional NAT Gateway and data transfer charges may apply

  • Transfer Family charges: Standard $0.40/GB data processing fees still apply

Monitor VPC Lattice usage and costs through the Amazon Cost and Billing console, filtering by the VPC Lattice service.

Network monitoring for VPC connectors

Monitor network activity and performance for VPC egress type connectors:

  • VPC Flow Logs: Enable VPC Flow Logs to monitor network traffic patterns between Resource Gateways and SFTP servers

  • VPC Lattice access logs: VPC Lattice provides access logs showing source/destination IP addresses, connection timing, and data transfer volumes

  • Security group monitoring: Monitor security group rules and traffic patterns to ensure proper network access controls

  • DNS resolution monitoring: Monitor DNS resolution times and failures for service network endpoints

Example VPC Lattice access log entry:

{
  "eventTimestamp": "2025-01-16T20:59:08.531Z",
  "serviceNetworkArn": "arn:aws:vpc-lattice:us-east-1:123456789012:servicenetwork/sn-1234567890abcdef0",
  "sourceVpcArn": "arn:aws:ec2:us-east-1:123456789012:vpc/vpc-12345678",
  "resourceConfigurationArn": "arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-12345678",
  "protocol": "tcp",
  "sourceIpPort": "10.0.1.100:33760",
  "destinationIpPort": "10.0.2.200:22",
  "gatewayIpPort": "10.0.1.150:1769",
  "resourceIpPort": "10.0.2.200:22"
}

Troubleshooting through monitoring

Use monitoring data to troubleshoot common VPC connector issues:

  • PENDING status: Monitor DNS resolution progress and wait for ACTIVE status before attempting transfers

  • Connection timeouts: Check VPC Flow Logs and security group rules for blocked traffic on port 22

  • Transfer failures: Review CloudWatch logs for detailed error messages and VPC Lattice access logs for network-level issues

  • Performance issues: Monitor VPC Lattice access logs for connection timing and throughput metrics