🦄 Making great presentations more accessible.
This project aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - Private and secure web browser-based access to your data in S3 (STG220)
In this video, Ed Laura, Senior Solutions Architect at AWS, demonstrates AWS Transfer Family web apps, a no-code solution enabling non-technical users to access S3 data through a web browser. The presentation covers key features including flexible identity integration with AWS Identity Center, customizable branding, and granular access control via S3 access grants. A live demo showcases the user experience with read-write and read-only permissions, file operations, and search functionality. The newly launched VPC endpoint feature is highlighted, allowing organizations to restrict access to internal networks via VPN or Direct Connect rather than public internet exposure. Integration options with identity providers like Active Directory and Okta, along with multi-factor authentication support, are discussed for enhanced security.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
Introduction to AWS Transfer Family Web Apps: Solving Browser-Based S3 Access
Welcome, and thank you for joining. My name is Ed Laura, and I'm a Senior Solutions Architect on the storage product team for Storage Gateway, Data Sync, and AWS Transfer Family. Today we're going to talk about a simple way to access your data via a web browser—data that's stored in S3 without code. We have a simple web application that allows non-technical users to access data you've already stored in S3, and we have a new feature to highlight today as well.
Here's our quick agenda. We'll do a short overview of AWS Transfer Family web apps and its key features. Then we'll do a short demo showing you the end user experience. We'll cover the new feature we've just launched, and we'll provide you with additional resources if you'd like to get started and build this on your own.
The core problem is that many customers across many verticals have data in S3, and they need a simple way for human users—non-technical users in many cases—to access that data. Using things like the S3 console are often not an option. We want a simple way for those users to log in via a web browser and just browse the data, do things like download certain files, browse directories, and share that data.
We know that there are stringent security needs, so we need a secure solution. Alternative solutions can be quite costly, and some customers go off and build custom solutions. We're trying to take some of that legwork off the customer and build it ourselves, making it simple for you to deploy and take advantage of.
AWS Transfer Family web apps is part of the AWS Transfer family, and it's modular with multiple different options. Our core service is file transfer servers using the SFTP protocol. We host an SFTP server for you that's highly available and highly performant, allowing SFTP clients to connect to an SFTP endpoint within the region. This can store data in S3, and it can also store data in EFS as well. Today we're going to focus on data stored in S3. Many customers build event-driven data workflows using this service, so data can come in from a third party or partner and land in your bucket where an event gets triggered, and we can trigger some sort of processing or additional pipeline down the road.
The other way we have is file transfer connectors. In this case, we act as the SFTP client on your behalf. It's hosted in the region and allows us to push or pull files from a remote SFTP server. In the first case, we are the server and clients connect in. In the second case, we are the SFTP client and we can push and pull to external sources. Many event-driven workflows can be built off of this push and pull dynamic.
The third option that we included to round out our managed file transfer capabilities is the web UI. Many times customers generate data, push it into S3, do some processing against that data, and maybe there's a report or results that get provided and goes back into that same S3 bucket. Now we just want somebody to go and review that document or image or report. We built a web UI for that purpose.
Once all your data is in S3, the possibilities are endless. We can leverage things like artificial intelligence, analytics, and database services. We can do all sorts of event-driven architectures built off of this type of workflow, receiving data from third parties and being able to access it from non-technical users.
We have flexible identity integration, which we'll cover a few of today. We can automate file processing, and we integrate with all of those AWS services in region. The whole goal is to be simple to use and easy to configure. It's customizable, so you can essentially white label it—you can bring in your company logo, you can have a custom URL, and you have ways to customize it so it looks like your company brand. We meet all of the compliance requirements like HIPAA, FedRAMP, and others.
Demonstrating the User Experience and Architecture Setup
We have a very simple browser-based experience, and we're going to demo that today as well. So let me do a short demo here. All right, so you can see we're logging in.
Make sure it's going. We have a username and password. We actually tie back to an identity provider, so you can provide an identity provider. It could be your Active Directory credentials, and your users use those same username and passwords that they're used to using. We have the notion of groups that you can create, so you can actually have read-write access, and you can also customize that logo. In this case, we're talking about a read-write user, so they can not only browse the directory but they can also create folders and upload files right through a native browser.
Browsing should be pretty straightforward. It's just a directory structure. We can drag and drop files from our local workstation and upload those into that S3 bucket, where you may have events that trigger off of notifications to go and process that new data that you just uploaded. Or you can use this to share files across your organization. We have all sorts of sort functions and options to overwrite existing files.
If we go back to the root, we can also search, and this is very helpful if we don't know where those documents are. These are potentially non-technical end users who just need to find the data that they're looking for. In this case, we searched for Q4. If you go back to the root again, you can also create new folders. These are very simple operations meant to be very simple for those end users.
When we do this, those new folders and files are now available in that S3 bucket. So if you have external applications that are also accessing the same data, they can now read that data as well. We can move files as well. Here, we'll move a file to that new folder that we just created. It's a simple copy operation. We're going to sign out. That was our read-write user.
We also have the ability to have a read-only user. In this case, we call this the financial analyst. As we log in, we can actually narrow the scope of what that user or group has access to, so they only see the data that they have access to, and we can grant that access. We'll show that in a little bit. But you can see the options are now limited. We can't upload any files, we can't create new folders. However, we can download files because we can read them.
So what are the main use cases that I mentioned? Being able to share files within your organization, so your workforce users have internal access to this data that's in S3. You can also leverage it for third-party partner sharing. Perhaps you have some partners that you need to share data with, and you want a secure way to do that where they don't have to install a client, they don't have to download anything. They can just go straight to a web browser, and we can control their identities and access through Identity Center.
So how do we set this up? It's meant to be simple. We're going to leverage AWS Identity Center. You may already have that set up. We can tie into an existing Identity Center instance, or you can create a new one. We also then define user access through S3 access grants. That's how we can control which user groups have access to which data, so that you don't give too much access. Then simply you go to the Transfer Family console, and you can design that web app within Transfer Family. There's no code needed. You simply create the app. It provides an endpoint, which is a URL, and that's going to be a public endpoint, so it's available over the internet. That's where we're going to talk about a new feature that we launched as well.
Here's the general architecture. Those end users can be sitting anywhere from home or from another location.
They're going to connect over the internet. We're going to tie Identity Center to your corporate identity provider, which could be Active Directory, Okta, Ping Identity, or others. You can enable multi-factor authentication to ensure that data is only accessed by the right people. In the back end, the Transfer Family web app runs in region and talks to S3, with access controlled through S3 access grants. All that data is stored in Amazon S3.
New VPC Endpoint Feature and Getting Started Resources
What we launched just last week was the ability to have VPC endpoint for web apps. This further tightens the security. Let's say we have only our internal users that we want to have access, meaning they are connected to the VPN and on our internal network. I don't want this exposed publicly to the internet where people can try to log in. We now have two options: we can deploy this publicly over the internet where it is secure and we can control access, or we can lock it down even further for these internal workforce users.
If you look at the architecture, we now have those two options. Your authenticated users can still be from home, but they may need to be logged in over VPN or connected from another site over Direct Connect, where you access a VPC endpoint. You have the URL and can customize your URL, and then that goes to the Transfer Family web app. You get that same end user experience that we just demonstrated.
This is a high-level 200-level talk. We do have a lot more detailed information available. We have a workshop that you can go to and create and set up your access grants, which is published through the Workshop Studio catalog. You also have getting started videos that we've been making an effort to put on YouTube so you can go back and watch those to see how to configure them and get up and running with your web app in short order.
It's always a good idea to go to our main page where we have customer references, documentation, blogs, and everything that you would need to get started and move forward. Another interesting one was the integration with Okta. We have a specific video out there that shows how to integrate with Okta, which we know is a popular identity provider. With that, we can then enable multi-factor authentication as well.
That's the presentation. Hopefully, this gives you simple, easy access to your data in S3. My name is Ed Laura, and you can find me on LinkedIn. Feel free to reach out and connect, and hopefully this was helpful for you. If you don't mind, please fill out the survey and leave feedback.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)