Connecting to the Amazon S3 protocol is now natively supported as of WinSCP version 5.13, WinSCP uses the REST interface to interact with S3.

This guide creates an S3 bucket, an IAM user, an IAM access policy with least priviledge, then generating access and secret keys for API access to allow WinSCP to seamlessy migrate files over.

Create an S3 Bucket

Login to AWS management console, navigate to S3 and create a new bucket in the region you require.

In this example the bucket name is called infra-engineer-winscp-bucket and this bucket has been created with default settings

Create an IAM user/policy and attach to bucket

The next step is to create an IAM so you need to navigate to IAM and create new user with the access type set as Programmatic access only and click Next

The username in this example is called infra-engineer-winscp-user

On the permission page, select "Attach existing policies directly" and select Create policy

Select the JSON tab and paste the following replacing your bucketname in place of infra-engineer-winscp-bucket;

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::infra-engineer-winscp-bucket"
            "Effect": "Allow",
            "Action": [
            "Resource": [

Give the policy a Name (i.e. infra-engineer-winscp-policy) with a descriptive comment and Create policy

Once this policy is created, select it and click "Next: Review" the create user

Download or copy the access key ID and secret access key which will be used to connect from WinSCP

Install WinSCP and connect to the bucket

Install WinSCP 5.13 or greater from the WinSCP download page, anything less than version 5.13 does not support S3

Once installed, select new site and change the file protocol to Amazon S3, this will prepopulate the host name to

Enter the access key ID and secret access key created earlier,

Go to Advanced > Environment > Directories and set the remote directory to the bucket name with forward slashes, i.e.


Click OK, save and Login

Accept any certificate warnings

You should now be logged in and can use WinSCP as required to upload/download your files.

Further Reading on WinSCP: WinSCP documentation on client configuration