AWS Transfer Family

Returns a list of the profiles for your system. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for NextToken , you can supply that value to continue listing profiles from where you left off.

See also: AWS API Documentation

Request Syntax

client.list_profiles(
    MaxResults=123,
    NextToken='string',
    ProfileType='LOCAL'|'PARTNER'
)

type MaxResults

integer

param MaxResults

The maximum number of profiles to return.

type NextToken

string

param NextToken

When there are additional results that were not returned, a NextToken parameter is returned. You can use that value for a subsequent call to ListProfiles to continue listing results.

type ProfileType

string

param ProfileType

Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'Profiles': [
        {
            'Arn': 'string',
            'ProfileId': 'string',
            'As2Id': 'string',
            'ProfileType': 'LOCAL'|'PARTNER'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    Returns a token that you can use to call ListProfiles again and receive additional results, if there are any.

  • Profiles (list) --

    Returns an array, where each item contains the details of a profile.

    • (dict) --

      Returns the properties of the profile that was specified.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the specified profile.

      • ProfileId (string) --

        A unique identifier for the local or partner AS2 profile.

      • As2Id (string) --

        The unique identifier for the AS2 process.

      • ProfileType (string) --

        Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.

Deletes the certificate that's specified in the CertificateId parameter.

See also: AWS API Documentation

Request Syntax

client.delete_certificate(
    CertificateId='string'
)

type CertificateId

string

param CertificateId

[REQUIRED]

The ID of the certificate object that you are deleting.

returns

None

Creates an agreement. An agreement is a bilateral trading partner agreement, or partnership, between an Transfer Family server and an AS2 process. The agreement defines the file and message transfer relationship between the server and the AS2 process. To define an agreement, Transfer Family combines a server, local profile, partner profile, certificate, and other attributes.

The partner is identified with the PartnerProfileId , and the AS2 process is identified with the LocalProfileId .

See also: AWS API Documentation

Request Syntax

client.create_agreement(
    Description='string',
    ServerId='string',
    LocalProfileId='string',
    PartnerProfileId='string',
    BaseDirectory='string',
    AccessRole='string',
    Status='ACTIVE'|'INACTIVE',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type Description

string

param Description

A name or short description to identify the agreement.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.

type LocalProfileId

string

param LocalProfileId

[REQUIRED]

A unique identifier for the AS2 local profile.

type PartnerProfileId

string

param PartnerProfileId

[REQUIRED]

A unique identifier for the partner profile used in the agreement.

type BaseDirectory

string

param BaseDirectory

[REQUIRED]

The landing directory (folder) for files transferred by using the AS2 protocol.

A BaseDirectory example is /DOC-EXAMPLE-BUCKET/home/mydirectory .

type AccessRole

string

param AccessRole

[REQUIRED]

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.

type Status

string

param Status

The status of the agreement. The agreement can be either ACTIVE or INACTIVE .

type Tags

list

param Tags

Key-value pairs that can be used to group and search for agreements.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

rtype

dict

returns

Response Syntax

{
    'AgreementId': 'string'
}

Response Structure

• (dict) --

  • AgreementId (string) --

    The unique identifier for the agreement. Use this ID for deleting, or updating an agreement, as well as in any other API calls that require that you specify the agreement ID.

Creates the profile for the AS2 process. The agreement is between the partner and the AS2 process.

See also: AWS API Documentation

Request Syntax

client.create_profile(
    As2Id='string',
    ProfileType='LOCAL'|'PARTNER',
    CertificateIds=[
        'string',
    ],
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type As2Id

string

param As2Id

[REQUIRED]

The As2Id is the AS2-name , as defined in the defined in the RFC 4130. For inbound transfers, this is the AS2-From header for the AS2 messages sent from the partner. For outbound connectors, this is the AS2-To header for the AS2 messages sent to the partner using the StartFileTransfer API operation. This ID cannot include spaces.

type ProfileType

string

param ProfileType

[REQUIRED]

Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.

type CertificateIds

list

param CertificateIds

An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

• (string) --

type Tags

list

param Tags

Key-value pairs that can be used to group and search for AS2 profiles.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

rtype

dict

returns

Response Syntax

{
    'ProfileId': 'string'
}

Response Structure

• (dict) --

  • ProfileId (string) --

    The unique identifier for the AS2 profile, returned after the API call succeeds.

Delete the agreement that's specified in the provided AgreementId .

See also: AWS API Documentation

Request Syntax

client.delete_agreement(
    AgreementId='string',
    ServerId='string'
)

type AgreementId

string

param AgreementId

[REQUIRED]

A unique identifier for the agreement. This identifier is returned when you create an agreement.

type ServerId

string

param ServerId

[REQUIRED]

The server ID associated with the agreement that you are deleting.

returns

None

Imports the signing and encryption certificates that you need to create local (AS2) profiles and partner profiles.

See also: AWS API Documentation

Request Syntax

client.import_certificate(
    Usage='SIGNING'|'ENCRYPTION',
    Certificate='string',
    CertificateChain='string',
    PrivateKey='string',
    ActiveDate=datetime(2015, 1, 1),
    InactiveDate=datetime(2015, 1, 1),
    Description='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type Usage

string

param Usage

[REQUIRED]

Specifies whether this certificate is used for signing or encryption.

type Certificate

string

param Certificate

[REQUIRED]

The file that contains the certificate to import.

type CertificateChain

string

param CertificateChain

An optional list of certificates that make up the chain for the certificate that's being imported.

type PrivateKey

string

param PrivateKey

The file that contains the private key for the certificate that's being imported.

type ActiveDate

datetime

param ActiveDate

An optional date that specifies when the certificate becomes active.

type InactiveDate

datetime

param InactiveDate

An optional date that specifies when the certificate becomes inactive.

type Description

string

param Description

A short description that helps identify the certificate.

type Tags

list

param Tags

Key-value pairs that can be used to group and search for certificates.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

rtype

dict

returns

Response Syntax

{
    'CertificateId': 'string'
}

Response Structure

• (dict) --

  • CertificateId (string) --

    An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

Updates some of the parameters for an existing connector. Provide the ConnectorId for the connector that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_connector(
    ConnectorId='string',
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE'
    },
    AccessRole='string',
    LoggingRole='string'
)

type ConnectorId

string

param ConnectorId

[REQUIRED]

The unique identifier for the connector.

type Url

string

param Url

The URL of the partner's AS2 endpoint.

type As2Config

dict

param As2Config

A structure that contains the parameters for a connector object.

• LocalProfileId (string) --

  A unique identifier for the AS2 process.

• PartnerProfileId (string) --

  A unique identifier for the partner for the connector.

• MessageSubject (string) --

  A short description to help identify the connector.

• Compression (string) --

  Specifies whether the AS2 file is compressed.

• EncryptionAlgorithm (string) --

  The algorithm that is used to encrypt the file.

• SigningAlgorithm (string) --

  The algorithm that is used to sign the AS2 transfers for this partner profile.

• MdnSigningAlgorithm (string) --

  The signing algorithm for the MDN response.

• MdnResponse (string) --

  Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

  • SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

  • NONE : Specifies that no MDN response is required.

type AccessRole

string

param AccessRole

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .

type LoggingRole

string

param LoggingRole

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

rtype

dict

returns

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

• (dict) --

  • ConnectorId (string) --

    Returns the identifier of the connector object that you are updating.

Updates some of the parameters for an existing agreement. Provide the AgreementId and the ServerId for the agreement that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_agreement(
    AgreementId='string',
    ServerId='string',
    Description='string',
    Status='ACTIVE'|'INACTIVE',
    LocalProfileId='string',
    PartnerProfileId='string',
    BaseDirectory='string',
    AccessRole='string'
)

type AgreementId

string

param AgreementId

[REQUIRED]

A unique identifier for the agreement. This identifier is returned when you create an agreement.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for a server instance. This is the specific server that the agreement uses.

type Description

string

param Description

To replace the existing description, provide a short description for the agreement.

type Status

string

param Status

You can update the status for the agreement, either activating an inactive agreement or the reverse.

type LocalProfileId

string

param LocalProfileId

To change the local profile identifier, provide a new value here.

type PartnerProfileId

string

param PartnerProfileId

To change the partner profile identifier, provide a new value here.

type BaseDirectory

string

param BaseDirectory

To change the landing directory (folder) for files that are transferred, provide the bucket folder that you want to use; for example, /DOC-EXAMPLE-BUCKET/home/mydirectory .

type AccessRole

string

param AccessRole

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.

rtype

dict

returns

Response Syntax

{
    'AgreementId': 'string'
}

Response Structure

• (dict) --

  • AgreementId (string) --

    A unique identifier for the agreement. This identifier is returned when you create an agreement.

Returns a list of the current certificates that have been imported into Transfer Family. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for the NextToken parameter, you can supply that value to continue listing certificates from where you left off.

See also: AWS API Documentation

Request Syntax

client.list_certificates(
    MaxResults=123,
    NextToken='string'
)

type MaxResults

integer

param MaxResults

The maximum number of certificates to return.

type NextToken

string

param NextToken

When you can get additional results from the ListCertificates call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional certificates.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'Certificates': [
        {
            'Arn': 'string',
            'CertificateId': 'string',
            'Usage': 'SIGNING'|'ENCRYPTION',
            'Status': 'ACTIVE'|'PENDING_ROTATION'|'INACTIVE',
            'ActiveDate': datetime(2015, 1, 1),
            'InactiveDate': datetime(2015, 1, 1),
            'Type': 'CERTIFICATE'|'CERTIFICATE_WITH_PRIVATE_KEY',
            'Description': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    Returns the next token, which you can use to list the next certificate.

  • Certificates (list) --

    Returns an array of the certificates that are specified in the ListCertificates call.

    • (dict) --

      Describes the properties of a certificate.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the specified certificate.

      • CertificateId (string) --

        An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

      • Usage (string) --

        Specifies whether this certificate is used for signing or encryption.

      • Status (string) --

        The certificate can be either ACTIVE , PENDING_ROTATION , or INACTIVE . PENDING_ROTATION means that this certificate will replace the current certificate when it expires.

      • ActiveDate (datetime) --

        An optional date that specifies when the certificate becomes active.

      • InactiveDate (datetime) --

        An optional date that specifies when the certificate becomes inactive.

      • Type (string) --

        The type for the certificate. If a private key has been specified for the certificate, its type is CERTIFICATE_WITH_PRIVATE_KEY . If there is no private key, the type is CERTIFICATE .

      • Description (string) --

        The name or short description that's used to identify the certificate.

Deletes the profile that's specified in the ProfileId parameter.

See also: AWS API Documentation

Request Syntax

client.delete_profile(
    ProfileId='string'
)

type ProfileId

string

param ProfileId

[REQUIRED]

The ID of the profile that you are deleting.

returns

None

Describes the agreement that's identified by the AgreementId .

See also: AWS API Documentation

Request Syntax

client.describe_agreement(
    AgreementId='string',
    ServerId='string'
)

type AgreementId

string

param AgreementId

[REQUIRED]

A unique identifier for the agreement. This identifier is returned when you create an agreement.

type ServerId

string

param ServerId

[REQUIRED]

The server ID that's associated with the agreement.

rtype

dict

returns

Response Syntax

{
    'Agreement': {
        'Arn': 'string',
        'AgreementId': 'string',
        'Description': 'string',
        'Status': 'ACTIVE'|'INACTIVE',
        'ServerId': 'string',
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'BaseDirectory': 'string',
        'AccessRole': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

• (dict) --

  • Agreement (dict) --

    The details for the specified agreement, returned as a DescribedAgreement object.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the agreement.

    • AgreementId (string) --

      A unique identifier for the agreement. This identifier is returned when you create an agreement.

    • Description (string) --

      The name or short description that's used to identify the agreement.

    • Status (string) --

      The current status of the agreement, either ACTIVE or INACTIVE .

    • ServerId (string) --

      A system-assigned unique identifier for a server instance. This identifier indicates the specific server that the agreement uses.

    • LocalProfileId (string) --

      A unique identifier for the AS2 process.

    • PartnerProfileId (string) --

      A unique identifier for the partner in the agreement.

    • BaseDirectory (string) --

      The landing directory (folder) for files that are transferred by using the AS2 protocol.

    • AccessRole (string) --

      The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that grants access to at least the HomeDirectory of your users' Amazon S3 buckets.

    • Tags (list) --

      Key-value pairs that can be used to group and search for agreements.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

Returns the details of the profile that's specified by the ProfileId .

See also: AWS API Documentation

Request Syntax

client.describe_profile(
    ProfileId='string'
)

type ProfileId

string

param ProfileId

[REQUIRED]

The identifier of the profile that you want described.

rtype

dict

returns

Response Syntax

{
    'Profile': {
        'Arn': 'string',
        'ProfileId': 'string',
        'ProfileType': 'LOCAL'|'PARTNER',
        'As2Id': 'string',
        'CertificateIds': [
            'string',
        ],
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

• (dict) --

  • Profile (dict) --

    The details of the specified profile, returned as an object.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the profile.

    • ProfileId (string) --

      A unique identifier for the local or partner AS2 profile.

    • ProfileType (string) --

      Indicates whether to list only LOCAL type profiles or only PARTNER type profiles. If not supplied in the request, the command lists all types of profiles.

    • As2Id (string) --

      The unique identifier for the AS2 process.

    • CertificateIds (list) --

      An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

      • (string) --

    • Tags (list) --

      Key-value pairs that can be used to group and search for profiles.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

Deletes the agreement that's specified in the provided ConnectorId .

See also: AWS API Documentation

Request Syntax

client.delete_connector(
    ConnectorId='string'
)

type ConnectorId

string

param ConnectorId

[REQUIRED]

The unique identifier for the connector.

returns

None

Returns a list of the agreements for the server that's identified by the ServerId that you supply. If you want to limit the results to a certain number, supply a value for the MaxResults parameter. If you ran the command previously and received a value for NextToken , you can supply that value to continue listing agreements from where you left off.

See also: AWS API Documentation

Request Syntax

client.list_agreements(
    MaxResults=123,
    NextToken='string',
    ServerId='string'
)

type MaxResults

integer

param MaxResults

The maximum number of agreements to return.

type NextToken

string

param NextToken

When you can get additional results from the ListAgreements call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional agreements.

type ServerId

string

param ServerId

[REQUIRED]

The identifier of the server for which you want a list of agreements.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'Agreements': [
        {
            'Arn': 'string',
            'AgreementId': 'string',
            'Description': 'string',
            'Status': 'ACTIVE'|'INACTIVE',
            'ServerId': 'string',
            'LocalProfileId': 'string',
            'PartnerProfileId': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    Returns a token that you can use to call ListAgreements again and receive additional results, if there are any.

  • Agreements (list) --

    Returns an array, where each item contains the details of an agreement.

    • (dict) --

      Describes the properties of an agreement.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the specified agreement.

      • AgreementId (string) --

        A unique identifier for the agreement. This identifier is returned when you create an agreement.

      • Description (string) --

        The current description for the agreement. You can change it by calling the UpdateAgreement operation and providing a new description.

      • Status (string) --

        The agreement can be either ACTIVE or INACTIVE .

      • ServerId (string) --

        The unique identifier for the agreement.

      • LocalProfileId (string) --

        A unique identifier for the AS2 process.

      • PartnerProfileId (string) --

        A unique identifier for the partner process.

Creates the connector, which captures the parameters for an outbound connection for the AS2 protocol. The connector is required for sending files from a customer's non Amazon Web Services server.

See also: AWS API Documentation

Request Syntax

client.create_connector(
    Url='string',
    As2Config={
        'LocalProfileId': 'string',
        'PartnerProfileId': 'string',
        'MessageSubject': 'string',
        'Compression': 'ZLIB'|'DISABLED',
        'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC',
        'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
        'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
        'MdnResponse': 'SYNC'|'NONE'
    },
    AccessRole='string',
    LoggingRole='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

type Url

string

param Url

[REQUIRED]

The URL of the partner's AS2 endpoint.

type As2Config

dict

param As2Config

[REQUIRED]

A structure that contains the parameters for a connector object.

• LocalProfileId (string) --

  A unique identifier for the AS2 process.

• PartnerProfileId (string) --

  A unique identifier for the partner for the connector.

• MessageSubject (string) --

  A short description to help identify the connector.

• Compression (string) --

  Specifies whether the AS2 file is compressed.

• EncryptionAlgorithm (string) --

  The algorithm that is used to encrypt the file.

• SigningAlgorithm (string) --

  The algorithm that is used to sign the AS2 transfers for this partner profile.

• MdnSigningAlgorithm (string) --

  The signing algorithm for the MDN response.

• MdnResponse (string) --

  Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

  • SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

  • NONE : Specifies that no MDN response is required.

type AccessRole

string

param AccessRole

[REQUIRED]

With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .

type LoggingRole

string

param LoggingRole

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

type Tags

list

param Tags

Key-value pairs that can be used to group and search for connectors. Tags are metadata attached to connectors for any purpose.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

rtype

dict

returns

Response Syntax

{
    'ConnectorId': 'string'
}

Response Structure

• (dict) --

  • ConnectorId (string) --

    The unique identifier for the connector, returned after the API call succeeds.

Updates the active and inactive dates for a certificate.

See also: AWS API Documentation

Request Syntax

client.update_certificate(
    CertificateId='string',
    ActiveDate=datetime(2015, 1, 1),
    InactiveDate=datetime(2015, 1, 1),
    Description='string'
)

type CertificateId

string

param CertificateId

[REQUIRED]

The identifier of the certificate object that you are updating.

type ActiveDate

datetime

param ActiveDate

An optional date that specifies when the certificate becomes active.

type InactiveDate

datetime

param InactiveDate

An optional date that specifies when the certificate becomes inactive.

type Description

string

param Description

A short description to help identify the certificate.

rtype

dict

returns

Response Syntax

{
    'CertificateId': 'string'
}

Response Structure

• (dict) --

  • CertificateId (string) --

    Returns the identifier of the certificate object that you are updating.

Describes the connector that's identified by the ConnectorId.

See also: AWS API Documentation

Request Syntax

client.describe_connector(
    ConnectorId='string'
)

type ConnectorId

string

param ConnectorId

[REQUIRED]

The unique identifier for the connector.

rtype

dict

returns

Response Syntax

{
    'Connector': {
        'Arn': 'string',
        'ConnectorId': 'string',
        'Url': 'string',
        'As2Config': {
            'LocalProfileId': 'string',
            'PartnerProfileId': 'string',
            'MessageSubject': 'string',
            'Compression': 'ZLIB'|'DISABLED',
            'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC',
            'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
            'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
            'MdnResponse': 'SYNC'|'NONE'
        },
        'AccessRole': 'string',
        'LoggingRole': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

• (dict) --

  • Connector (dict) --

    The structure that contains the details of the connector.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the connector.

    • ConnectorId (string) --

      The unique identifier for the connector.

    • Url (string) --

      The URL of the partner's AS2 endpoint.

    • As2Config (dict) --

      A structure that contains the parameters for a connector object.

      • LocalProfileId (string) --

        A unique identifier for the AS2 process.

      • PartnerProfileId (string) --

        A unique identifier for the partner for the connector.

      • MessageSubject (string) --

        A short description to help identify the connector.

      • Compression (string) --

        Specifies whether the AS2 file is compressed.

      • EncryptionAlgorithm (string) --

        The algorithm that is used to encrypt the file.

      • SigningAlgorithm (string) --

        The algorithm that is used to sign the AS2 transfers for this partner profile.

      • MdnSigningAlgorithm (string) --

        The signing algorithm for the MDN response.

      • MdnResponse (string) --

        Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:

        • SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).

        • NONE : Specifies that no MDN response is required.

    • AccessRole (string) --

      With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .

    • LoggingRole (string) --

      The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.

    • Tags (list) --

      Key-value pairs that can be used to group and search for connectors.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

Begins an outbound file transfer. You specify the ConnectorId and the file paths for where to send the files.

See also: AWS API Documentation

Request Syntax

client.start_file_transfer(
    ConnectorId='string',
    SendFilePaths=[
        'string',
    ]
)

type ConnectorId

string

param ConnectorId

[REQUIRED]

The unique identifier for the connector.

type SendFilePaths

list

param SendFilePaths

[REQUIRED]

An array of strings. Each string represents the absolute path for one outbound file transfer. For example, DOC-EXAMPLE-BUCKET/myfile.txt .

• (string) --

rtype

dict

returns

Response Syntax

{
    'TransferId': 'string'
}

Response Structure

• (dict) --

  • TransferId (string) --

    Returns the unique identifier for this file transfer.

Updates some of the parameters for an existing profile. Provide the ProfileId for the profile that you want to update, along with the new values for the parameters to update.

See also: AWS API Documentation

Request Syntax

client.update_profile(
    ProfileId='string',
    CertificateIds=[
        'string',
    ]
)

type ProfileId

string

param ProfileId

[REQUIRED]

The identifier of the profile object that you are updating.

type CertificateIds

list

param CertificateIds

An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

• (string) --

rtype

dict

returns

Response Syntax

{
    'ProfileId': 'string'
}

Response Structure

• (dict) --

  • ProfileId (string) --

    Returns the identifier for the profile that's being updated.

Describes the certificate that's identified by the CertificateId .

See also: AWS API Documentation

Request Syntax

client.describe_certificate(
    CertificateId='string'
)

type CertificateId

string

param CertificateId

[REQUIRED]

An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

rtype

dict

returns

Response Syntax

{
    'Certificate': {
        'Arn': 'string',
        'CertificateId': 'string',
        'Usage': 'SIGNING'|'ENCRYPTION',
        'Status': 'ACTIVE'|'PENDING_ROTATION'|'INACTIVE',
        'Certificate': 'string',
        'CertificateChain': 'string',
        'ActiveDate': datetime(2015, 1, 1),
        'InactiveDate': datetime(2015, 1, 1),
        'Serial': 'string',
        'NotBeforeDate': datetime(2015, 1, 1),
        'NotAfterDate': datetime(2015, 1, 1),
        'Type': 'CERTIFICATE'|'CERTIFICATE_WITH_PRIVATE_KEY',
        'Description': 'string',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

• (dict) --

  • Certificate (dict) --

    The details for the specified certificate, returned as an object.

    • Arn (string) --

      The unique Amazon Resource Name (ARN) for the certificate.

    • CertificateId (string) --

      An array of identifiers for the imported certificates. You use this identifier for working with profiles and partner profiles.

    • Usage (string) --

      Specifies whether this certificate is used for signing or encryption.

    • Status (string) --

      The certificate can be either ACTIVE , PENDING_ROTATION , or INACTIVE . PENDING_ROTATION means that this certificate will replace the current certificate when it expires.

    • Certificate (string) --

      The file name for the certificate.

    • CertificateChain (string) --

      The list of certificates that make up the chain for the certificate.

    • ActiveDate (datetime) --

      An optional date that specifies when the certificate becomes active.

    • InactiveDate (datetime) --

      An optional date that specifies when the certificate becomes inactive.

    • Serial (string) --

      The serial number for the certificate.

    • NotBeforeDate (datetime) --

      The earliest date that the certificate is valid.

    • NotAfterDate (datetime) --

      The final date that the certificate is valid.

    • Type (string) --

      If a private key has been specified for the certificate, its type is CERTIFICATE_WITH_PRIVATE_KEY . If there is no private key, the type is CERTIFICATE .

    • Description (string) --

      The name or description that's used to identity the certificate.

    • Tags (list) --

      Key-value pairs that can be used to group and search for certificates.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

Lists the connectors for the specified Region.

See also: AWS API Documentation

Request Syntax

client.list_connectors(
    MaxResults=123,
    NextToken='string'
)

type MaxResults

integer

param MaxResults

The maximum number of connectors to return.

type NextToken

string

param NextToken

When you can get additional results from the ListConnectors call, a NextToken parameter is returned in the output. You can then pass in a subsequent command to the NextToken parameter to continue listing additional connectors.

rtype

dict

returns

Response Syntax

{
    'NextToken': 'string',
    'Connectors': [
        {
            'Arn': 'string',
            'ConnectorId': 'string',
            'Url': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextToken (string) --

    Returns a token that you can use to call ListConnectors again and receive additional results, if there are any.

  • Connectors (list) --

    Returns an array, where each item contains the details of a connector.

    • (dict) --

      Returns details of the connector that is specified.

      • Arn (string) --

        The Amazon Resource Name (ARN) of the specified connector.

      • ConnectorId (string) --

        The unique identifier for the connector.

      • Url (string) --

        The URL of the partner's AS2 endpoint.

{'ProtocolDetails': {'As2Transports': ['HTTP']}, 'Protocols': {'AS2'}}

Instantiates an auto-scaling virtual server based on the selected file transfer protocol in Amazon Web Services. When you make updates to your file transfer protocol-enabled server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.

See also: AWS API Documentation

Request Syntax

client.create_server(
    Certificate='string',
    Domain='S3'|'EFS',
    EndpointDetails={
        'AddressAllocationIds': [
            'string',
        ],
        'SubnetIds': [
            'string',
        ],
        'VpcEndpointId': 'string',
        'VpcId': 'string',
        'SecurityGroupIds': [
            'string',
        ]
    },
    EndpointType='PUBLIC'|'VPC'|'VPC_ENDPOINT',
    HostKey='string',
    IdentityProviderDetails={
        'Url': 'string',
        'InvocationRole': 'string',
        'DirectoryId': 'string',
        'Function': 'string'
    },
    IdentityProviderType='SERVICE_MANAGED'|'API_GATEWAY'|'AWS_DIRECTORY_SERVICE'|'AWS_LAMBDA',
    LoggingRole='string',
    PostAuthenticationLoginBanner='string',
    PreAuthenticationLoginBanner='string',
    Protocols=[
        'SFTP'|'FTP'|'FTPS'|'AS2',
    ],
    ProtocolDetails={
        'PassiveIp': 'string',
        'TlsSessionResumptionMode': 'DISABLED'|'ENABLED'|'ENFORCED',
        'SetStatOption': 'DEFAULT'|'ENABLE_NO_OP',
        'As2Transports': [
            'HTTP',
        ]
    },
    SecurityPolicyName='string',
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ],
    WorkflowDetails={
        'OnUpload': [
            {
                'WorkflowId': 'string',
                'ExecutionRole': 'string'
            },
        ]
    }
)

type Certificate

string

param Certificate

The Amazon Resource Name (ARN) of the Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS .

To request a new public certificate, see Request a public certificate in the Certificate Manager User Guide .

To import an existing certificate into ACM, see Importing certificates into ACM in the Certificate Manager User Guide .

To request a private certificate to use FTPS through private IP addresses, see Request a private certificate in the Certificate Manager User Guide .

Certificates with the following cryptographic algorithms and key sizes are supported:

• 2048-bit RSA (RSA_2048)

• 4096-bit RSA (RSA_4096)

• Elliptic Prime Curve 256 bit (EC_prime256v1)

• Elliptic Prime Curve 384 bit (EC_secp384r1)

• Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

type Domain

string

param Domain

The domain of the storage system that is used for file transfers. There are two domains available: Amazon Simple Storage Service (Amazon S3) and Amazon Elastic File System (Amazon EFS). The default value is S3.

Note

After the server is created, the domain cannot be changed.

type EndpointDetails

dict

param EndpointDetails

The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.

• AddressAllocationIds (list) --

  A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.

  Note

  This property can only be set when EndpointType is set to VPC and it is only valid in the UpdateServer API.

  • (string) --

• SubnetIds (list) --

  A list of subnet IDs that are required to host your server endpoint in your VPC.

  Note

  This property can only be set when EndpointType is set to VPC .

  • (string) --

• VpcEndpointId (string) --

  The ID of the VPC endpoint.

  Note

  This property can only be set when EndpointType is set to VPC_ENDPOINT .

  For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.

• VpcId (string) --

  The VPC ID of the VPC in which a server's endpoint will be hosted.

  Note

  This property can only be set when EndpointType is set to VPC .

• SecurityGroupIds (list) --

  A list of security groups IDs that are available to attach to your server's endpoint.

  Note

  This property can only be set when EndpointType is set to VPC .

  You can edit the SecurityGroupIds property in the UpdateServer API only if you are changing the EndpointType from PUBLIC or VPC_ENDPOINT to VPC . To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 ModifyVpcEndpoint API.

  • (string) --

type EndpointType

string

param EndpointType

The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.

Note

After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT in your Amazon Web Services account if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT in your Amazon Web Services account on or before May 19, 2021, you will not be affected. After this date, use EndpointType = VPC .

For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.

It is recommended that you use VPC as the EndpointType . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType set to VPC_ENDPOINT .

type HostKey

string

param HostKey

The RSA, ECDSA, or ED25519 private key to use for your server.

Use the following command to generate an RSA 2048 bit key with no passphrase:

ssh-keygen -t rsa -b 2048 -N "" -m PEM -f my-new-server-key .

Use a minimum value of 2048 for the -b option. You can create a stronger key by using 3072 or 4096.

Use the following command to generate an ECDSA 256 bit key with no passphrase:

ssh-keygen -t ecdsa -b 256 -N "" -m PEM -f my-new-server-key .

Valid values for the -b option for ECDSA are 256, 384, and 521.

Use the following command to generate an ED25519 key with no passphrase:

ssh-keygen -t ed25519 -N "" -f my-new-server-key .

For all of these commands, you can replace my-new-server-key with a string of your choice.

Warning

If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.

For more information, see Change the host key for your SFTP-enabled server in the Transfer Family User Guide .

type IdentityProviderDetails

dict

param IdentityProviderDetails

Required when IdentityProviderType is set to AWS_DIRECTORY_SERVICE or API_GATEWAY . Accepts an array containing all of the information required to use a directory in AWS_DIRECTORY_SERVICE or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when IdentityProviderType is set to SERVICE_MANAGED .

• Url (string) --

  Provides the location of the service endpoint used to authenticate users.

• InvocationRole (string) --

  Provides the type of InvocationRole used to authenticate the user account.

• DirectoryId (string) --

  The identifier of the Directory Service directory that you want to stop sharing.

• Function (string) --

  The ARN for a lambda function to use for the Identity provider.

type IdentityProviderType

string

param IdentityProviderType

The mode of authentication for a server. The default value is SERVICE_MANAGED , which allows you to store and access user credentials within the Transfer Family service.

Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connector. This option also requires you to provide a Directory ID by using the IdentityProviderDetails parameter.

Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the IdentityProviderDetails parameter.

Use the AWS_LAMBDA value to directly use an Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the Function parameter or the IdentityProviderDetails data type.

type LoggingRole

string

param LoggingRole

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.

type PostAuthenticationLoginBanner

string

param PostAuthenticationLoginBanner

Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.

Note

The SFTP protocol does not support post-authentication display banners.

type PreAuthenticationLoginBanner

string

param PreAuthenticationLoginBanner

Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

type Protocols

list

param Protocols

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:

• SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH

• FTPS (File Transfer Protocol Secure): File transfer with TLS encryption

• FTP (File Transfer Protocol): Unencrypted file transfer

• AS2 (Applicability Statement 2): used for transporting structured business-to-business data

Note

• If you select FTPS , you must choose a certificate stored in Certificate Manager (ACM) which is used to identify your server when clients connect to it over FTPS.

• If Protocol includes either FTP or FTPS , then the EndpointType must be VPC and the IdentityProviderType must be AWS_DIRECTORY_SERVICE or API_GATEWAY .

• If Protocol includes FTP , then AddressAllocationIds cannot be associated.

• If Protocol is set only to SFTP , the EndpointType can be set to PUBLIC and the IdentityProviderType can be set to SERVICE_MANAGED .

• If Protocol includes AS2 , then the EndpointType must be VPC , and domain must be Amazon S3.

• (string) --

type ProtocolDetails

dict

param ProtocolDetails

The protocol settings that are configured for your server.

• To indicate passive mode (for FTP and FTPS protocols), use the PassiveIp parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.

• To ignore the error that is generated when the client attempts to use the SETSTAT command on a file that you are uploading to an Amazon S3 bucket, use the SetStatOption parameter. To have the Transfer Family server ignore the SETSTAT command and upload files without needing to make any changes to your SFTP client, set the value to ENABLE_NO_OP . If you set the SetStatOption parameter to ENABLE_NO_OP , Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a SETSTAT call.

• To determine whether your Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the TlsSessionResumptionMode parameter.

• As2Transports indicates the transport method for the AS2 messages. Currently, only HTTP is supported.

• PassiveIp (string) --

  Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:

  aws transfer update-server --protocol-details PassiveIp=0.0.0.0

  Replace 0.0.0.0 in the example above with the actual IP address you want to use.

  Note

  If you change the PassiveIp value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see Configuring your FTPS server behind a firewall or NAT with Transfer Family.

• TlsSessionResumptionMode (string) --

  A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. TlsSessionResumptionMode determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during CreateServer and UpdateServer calls. If a TlsSessionResumptionMode value is not specified during CreateServer , it is set to ENFORCED by default.

  • DISABLED : the server does not process TLS session resumption client requests and creates a new TLS session for each request.

  • ENABLED : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.

  • ENFORCED : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to ENFORCED , test your clients.

  Note

  Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the ENFORCED value, you need to test your clients.

• SetStatOption (string) --

  Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket.

  Some SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as SETSTAT when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.

  Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. While the SetStatOption ENABLE_NO_OP setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a SETSTAT call.

  Note

  If you want to preserve the original timestamp for your file, and modify other file attributes using SETSTAT , you can use Amazon EFS as backend storage with Transfer Family.

• As2Transports (list) --

  Indicates the transport method for the AS2 messages. Currently, only HTTP is supported.

  • (string) --

type SecurityPolicyName

string

param SecurityPolicyName

Specifies the name of the security policy that is attached to the server.

type Tags

list

param Tags

Key-value pairs that can be used to group and search for servers.

• (dict) --

  Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

  • Key (string) -- [REQUIRED]

    The name assigned to the tag that you create.

  • Value (string) -- [REQUIRED]

    Contains one or more values that you assigned to the key name you create.

type WorkflowDetails

dict

param WorkflowDetails

Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

• OnUpload (list) -- [REQUIRED]

  A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.

  To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.

  aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{"OnUpload":[]}'

  • (dict) --

    Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

    • WorkflowId (string) -- [REQUIRED]

      A unique identifier for the workflow.

    • ExecutionRole (string) -- [REQUIRED]

      Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources

rtype

dict

returns

Response Syntax

{
    'ServerId': 'string'
}

Response Structure

• (dict) --

  • ServerId (string) --

    The service-assigned ID of the server that is created.

{'Server': {'ProtocolDetails': {'As2Transports': ['HTTP']},
            'Protocols': {'AS2'}}}

Describes a file transfer protocol-enabled server that you specify by passing the ServerId parameter.

The response contains a description of a server's properties. When you set EndpointType to VPC, the response will contain the EndpointDetails .

See also: AWS API Documentation

Request Syntax

client.describe_server(
    ServerId='string'
)

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for a server.

rtype

dict

returns

Response Syntax

{
    'Server': {
        'Arn': 'string',
        'Certificate': 'string',
        'ProtocolDetails': {
            'PassiveIp': 'string',
            'TlsSessionResumptionMode': 'DISABLED'|'ENABLED'|'ENFORCED',
            'SetStatOption': 'DEFAULT'|'ENABLE_NO_OP',
            'As2Transports': [
                'HTTP',
            ]
        },
        'Domain': 'S3'|'EFS',
        'EndpointDetails': {
            'AddressAllocationIds': [
                'string',
            ],
            'SubnetIds': [
                'string',
            ],
            'VpcEndpointId': 'string',
            'VpcId': 'string',
            'SecurityGroupIds': [
                'string',
            ]
        },
        'EndpointType': 'PUBLIC'|'VPC'|'VPC_ENDPOINT',
        'HostKeyFingerprint': 'string',
        'IdentityProviderDetails': {
            'Url': 'string',
            'InvocationRole': 'string',
            'DirectoryId': 'string',
            'Function': 'string'
        },
        'IdentityProviderType': 'SERVICE_MANAGED'|'API_GATEWAY'|'AWS_DIRECTORY_SERVICE'|'AWS_LAMBDA',
        'LoggingRole': 'string',
        'PostAuthenticationLoginBanner': 'string',
        'PreAuthenticationLoginBanner': 'string',
        'Protocols': [
            'SFTP'|'FTP'|'FTPS'|'AS2',
        ],
        'SecurityPolicyName': 'string',
        'ServerId': 'string',
        'State': 'OFFLINE'|'ONLINE'|'STARTING'|'STOPPING'|'START_FAILED'|'STOP_FAILED',
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'UserCount': 123,
        'WorkflowDetails': {
            'OnUpload': [
                {
                    'WorkflowId': 'string',
                    'ExecutionRole': 'string'
                },
            ]
        }
    }
}

Response Structure

• (dict) --

  • Server (dict) --

    An array containing the properties of a server with the ServerID you specified.

    • Arn (string) --

      Specifies the unique Amazon Resource Name (ARN) of the server.

    • Certificate (string) --

      Specifies the ARN of the Amazon Web ServicesCertificate Manager (ACM) certificate. Required when Protocols is set to FTPS .

    • ProtocolDetails (dict) --

      The protocol settings that are configured for your server.

      Use the PassiveIp parameter to indicate passive mode. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer.

      • PassiveIp (string) --

        Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:

        aws transfer update-server --protocol-details PassiveIp=0.0.0.0

        Replace 0.0.0.0 in the example above with the actual IP address you want to use.

        Note

        If you change the PassiveIp value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see Configuring your FTPS server behind a firewall or NAT with Transfer Family.

      • TlsSessionResumptionMode (string) --

        A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. TlsSessionResumptionMode determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during CreateServer and UpdateServer calls. If a TlsSessionResumptionMode value is not specified during CreateServer , it is set to ENFORCED by default.

        • DISABLED : the server does not process TLS session resumption client requests and creates a new TLS session for each request.

        • ENABLED : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.

        • ENFORCED : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to ENFORCED , test your clients.

        Note

        Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the ENFORCED value, you need to test your clients.

      • SetStatOption (string) --

        Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket.

        Some SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as SETSTAT when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.

        Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. While the SetStatOption ENABLE_NO_OP setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a SETSTAT call.

        Note

        If you want to preserve the original timestamp for your file, and modify other file attributes using SETSTAT , you can use Amazon EFS as backend storage with Transfer Family.

      • As2Transports (list) --

        Indicates the transport method for the AS2 messages. Currently, only HTTP is supported.

        • (string) --

    • Domain (string) --

      Specifies the domain of the storage system that is used for file transfers.

    • EndpointDetails (dict) --

      The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.

      • AddressAllocationIds (list) --

        A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.

        Note

        This property can only be set when EndpointType is set to VPC and it is only valid in the UpdateServer API.

        • (string) --

      • SubnetIds (list) --

        A list of subnet IDs that are required to host your server endpoint in your VPC.

        Note

        This property can only be set when EndpointType is set to VPC .

        • (string) --

      • VpcEndpointId (string) --

        The ID of the VPC endpoint.

        Note

        This property can only be set when EndpointType is set to VPC_ENDPOINT .

        For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.

      • VpcId (string) --

        The VPC ID of the VPC in which a server's endpoint will be hosted.

        Note

        This property can only be set when EndpointType is set to VPC .

      • SecurityGroupIds (list) --

        A list of security groups IDs that are available to attach to your server's endpoint.

        Note

        This property can only be set when EndpointType is set to VPC .

        You can edit the SecurityGroupIds property in the UpdateServer API only if you are changing the EndpointType from PUBLIC or VPC_ENDPOINT to VPC . To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 ModifyVpcEndpoint API.

        • (string) --

    • EndpointType (string) --

      Defines the type of endpoint that your server is connected to. If your server is connected to a VPC endpoint, your server isn't accessible over the public internet.

    • HostKeyFingerprint (string) --

      Specifies the Base64-encoded SHA256 fingerprint of the server's host key. This value is equivalent to the output of the ssh-keygen -l -f my-new-server-key command.

    • IdentityProviderDetails (dict) --

      Specifies information to call a customer-supplied authentication API. This field is not populated when the IdentityProviderType of a server is AWS_DIRECTORY_SERVICE or SERVICE_MANAGED .

      • Url (string) --

        Provides the location of the service endpoint used to authenticate users.

      • InvocationRole (string) --

        Provides the type of InvocationRole used to authenticate the user account.

      • DirectoryId (string) --

        The identifier of the Directory Service directory that you want to stop sharing.

      • Function (string) --

        The ARN for a lambda function to use for the Identity provider.

    • IdentityProviderType (string) --

      The mode of authentication for a server. The default value is SERVICE_MANAGED , which allows you to store and access user credentials within the Transfer Family service.

      Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in Directory Service for Microsoft Active Directory or Microsoft Active Directory in your on-premises environment or in Amazon Web Services using AD Connector. This option also requires you to provide a Directory ID by using the IdentityProviderDetails parameter.

      Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an Amazon API Gateway endpoint URL to call for authentication by using the IdentityProviderDetails parameter.

      Use the AWS_LAMBDA value to directly use an Lambda function as your identity provider. If you choose this value, you must specify the ARN for the Lambda function in the Function parameter or the IdentityProviderDetails data type.

    • LoggingRole (string) --

      The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.

    • PostAuthenticationLoginBanner (string) --

      Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.

      Note

      The SFTP protocol does not support post-authentication display banners.

    • PreAuthenticationLoginBanner (string) --

      Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:

      This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

    • Protocols (list) --

      Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:

      • SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH

      • FTPS (File Transfer Protocol Secure): File transfer with TLS encryption

      • FTP (File Transfer Protocol): Unencrypted file transfer

      • (string) --

    • SecurityPolicyName (string) --

      Specifies the name of the security policy that is attached to the server.

    • ServerId (string) --

      Specifies the unique system-assigned identifier for a server that you instantiate.

    • State (string) --

      The condition of the server that was described. A value of ONLINE indicates that the server can accept jobs and transfer files. A State value of OFFLINE means that the server cannot perform file transfer operations.

      The states of STARTING and STOPPING indicate that the server is in an intermediate state, either not fully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicate an error condition.

    • Tags (list) --

      Specifies the key-value pairs that you can use to search for and group servers that were assigned to the server that was described.

      • (dict) --

        Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.

        • Key (string) --

          The name assigned to the tag that you create.

        • Value (string) --

          Contains one or more values that you assigned to the key name you create.

    • UserCount (integer) --

      Specifies the number of users that are assigned to a server you specified with the ServerId .

    • WorkflowDetails (dict) --

      Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

      • OnUpload (list) --

        A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.

        To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.

        aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{"OnUpload":[]}'

        • (dict) --

          Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

          • WorkflowId (string) --

            A unique identifier for the workflow.

          • ExecutionRole (string) --

            Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources

{'ServerProtocol': {'AS2'}}

If the IdentityProviderType of a file transfer protocol-enabled server is AWS_DIRECTORY_SERVICE or API_Gateway , tests whether your identity provider is set up successfully. We highly recommend that you call this operation to test your authentication method as soon as you create your server. By doing so, you can troubleshoot issues with the identity provider integration to ensure that your users can successfully use the service.

The ServerId and UserName parameters are required. The ServerProtocol , SourceIp , and UserPassword are all optional.

• If you provide any incorrect values for any parameters, the Response field is empty.

• If you provide a server ID for a server that uses service-managed users, you get an error: An error occurred (InvalidRequestException) when calling the TestIdentityProvider operation: s-server-IDnot configured for external auth

• If you enter a Server ID for the --server-id parameter that does not identify an actual Transfer server, you receive the following error: An error occurred (ResourceNotFoundException) when calling the TestIdentityProvider operation: Unknown server

See also: AWS API Documentation

Request Syntax

client.test_identity_provider(
    ServerId='string',
    ServerProtocol='SFTP'|'FTP'|'FTPS'|'AS2',
    SourceIp='string',
    UserName='string',
    UserPassword='string'
)

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned identifier for a specific server. That server's user authentication method is tested with a user name and password.

type ServerProtocol

string

param ServerProtocol

The type of file transfer protocol to be tested.

The available protocols are:

• Secure Shell (SSH) File Transfer Protocol (SFTP)

• File Transfer Protocol Secure (FTPS)

• File Transfer Protocol (FTP)

type SourceIp

string

param SourceIp

The source IP address of the user account to be tested.

type UserName

string

param UserName

[REQUIRED]

The name of the user account to be tested.

type UserPassword

string

param UserPassword

The password of the user account to be tested.

rtype

dict

returns

Response Syntax

{
    'Response': 'string',
    'StatusCode': 123,
    'Message': 'string',
    'Url': 'string'
}

Response Structure

• (dict) --

  • Response (string) --

    The response that is returned from your API Gateway.

  • StatusCode (integer) --

    The HTTP status code that is the response from your API Gateway.

  • Message (string) --

    A message that indicates whether the test was successful or not.

    Note

    If an empty string is returned, the most likely cause is that the authentication failed due to an incorrect username or password.

  • Url (string) --

    The endpoint of the service used to authenticate a user.

{'ProtocolDetails': {'As2Transports': ['HTTP']}, 'Protocols': {'AS2'}}

Updates the file transfer protocol-enabled server's properties after that server has been created.

The UpdateServer call returns the ServerId of the server you updated.

See also: AWS API Documentation

Request Syntax

client.update_server(
    Certificate='string',
    ProtocolDetails={
        'PassiveIp': 'string',
        'TlsSessionResumptionMode': 'DISABLED'|'ENABLED'|'ENFORCED',
        'SetStatOption': 'DEFAULT'|'ENABLE_NO_OP',
        'As2Transports': [
            'HTTP',
        ]
    },
    EndpointDetails={
        'AddressAllocationIds': [
            'string',
        ],
        'SubnetIds': [
            'string',
        ],
        'VpcEndpointId': 'string',
        'VpcId': 'string',
        'SecurityGroupIds': [
            'string',
        ]
    },
    EndpointType='PUBLIC'|'VPC'|'VPC_ENDPOINT',
    HostKey='string',
    IdentityProviderDetails={
        'Url': 'string',
        'InvocationRole': 'string',
        'DirectoryId': 'string',
        'Function': 'string'
    },
    LoggingRole='string',
    PostAuthenticationLoginBanner='string',
    PreAuthenticationLoginBanner='string',
    Protocols=[
        'SFTP'|'FTP'|'FTPS'|'AS2',
    ],
    SecurityPolicyName='string',
    ServerId='string',
    WorkflowDetails={
        'OnUpload': [
            {
                'WorkflowId': 'string',
                'ExecutionRole': 'string'
            },
        ]
    }
)

type Certificate

string

param Certificate

The Amazon Resource Name (ARN) of the Amazon Web ServicesCertificate Manager (ACM) certificate. Required when Protocols is set to FTPS .

To request a new public certificate, see Request a public certificate in the Amazon Web ServicesCertificate Manager User Guide .

To import an existing certificate into ACM, see Importing certificates into ACM in the Amazon Web ServicesCertificate Manager User Guide .

To request a private certificate to use FTPS through private IP addresses, see Request a private certificate in the Amazon Web ServicesCertificate Manager User Guide .

Certificates with the following cryptographic algorithms and key sizes are supported:

• 2048-bit RSA (RSA_2048)

• 4096-bit RSA (RSA_4096)

• Elliptic Prime Curve 256 bit (EC_prime256v1)

• Elliptic Prime Curve 384 bit (EC_secp384r1)

• Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

type ProtocolDetails

dict

param ProtocolDetails

The protocol settings that are configured for your server.

• To indicate passive mode (for FTP and FTPS protocols), use the PassiveIp parameter. Enter a single dotted-quad IPv4 address, such as the external IP address of a firewall, router, or load balancer.

• To ignore the error that is generated when the client attempts to use the SETSTAT command on a file that you are uploading to an Amazon S3 bucket, use the SetStatOption parameter. To have the Transfer Family server ignore the SETSTAT command and upload files without needing to make any changes to your SFTP client, set the value to ENABLE_NO_OP . If you set the SetStatOption parameter to ENABLE_NO_OP , Transfer Family generates a log entry to Amazon CloudWatch Logs, so that you can determine when the client is making a SETSTAT call.

• To determine whether your Transfer Family server resumes recent, negotiated sessions through a unique session ID, use the TlsSessionResumptionMode parameter.

• As2Transports indicates the transport method for the AS2 messages. Currently, only HTTP is supported.

• PassiveIp (string) --

  Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For example:

  aws transfer update-server --protocol-details PassiveIp=0.0.0.0

  Replace 0.0.0.0 in the example above with the actual IP address you want to use.

  Note

  If you change the PassiveIp value, you must stop and then restart your Transfer Family server for the change to take effect. For details on using passive mode (PASV) in a NAT environment, see Configuring your FTPS server behind a firewall or NAT with Transfer Family.

• TlsSessionResumptionMode (string) --

  A property used with Transfer Family servers that use the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. TlsSessionResumptionMode determines whether or not the server resumes recent, negotiated sessions through a unique session ID. This property is available during CreateServer and UpdateServer calls. If a TlsSessionResumptionMode value is not specified during CreateServer , it is set to ENFORCED by default.

  • DISABLED : the server does not process TLS session resumption client requests and creates a new TLS session for each request.

  • ENABLED : the server processes and accepts clients that are performing TLS session resumption. The server doesn't reject client data connections that do not perform the TLS session resumption client processing.

  • ENFORCED : the server processes and accepts clients that are performing TLS session resumption. The server rejects client data connections that do not perform the TLS session resumption client processing. Before you set the value to ENFORCED , test your clients.

  Note

  Not all FTPS clients perform TLS session resumption. So, if you choose to enforce TLS session resumption, you prevent any connections from FTPS clients that don't perform the protocol negotiation. To determine whether or not you can use the ENFORCED value, you need to test your clients.

• SetStatOption (string) --

  Use the SetStatOption to ignore the error that is generated when the client attempts to use SETSTAT on a file you are uploading to an S3 bucket.

  Some SFTP file transfer clients can attempt to change the attributes of remote files, including timestamp and permissions, using commands, such as SETSTAT when uploading the file. However, these commands are not compatible with object storage systems, such as Amazon S3. Due to this incompatibility, file uploads from these clients can result in errors even when the file is otherwise successfully uploaded.

  Set the value to ENABLE_NO_OP to have the Transfer Family server ignore the SETSTAT command, and upload files without needing to make any changes to your SFTP client. While the SetStatOption ENABLE_NO_OP setting ignores the error, it does generate a log entry in Amazon CloudWatch Logs, so you can determine when the client is making a SETSTAT call.

  Note

  If you want to preserve the original timestamp for your file, and modify other file attributes using SETSTAT , you can use Amazon EFS as backend storage with Transfer Family.

• As2Transports (list) --

  Indicates the transport method for the AS2 messages. Currently, only HTTP is supported.

  • (string) --

type EndpointDetails

dict

param EndpointDetails

The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make your endpoint accessible only to resources within your VPC, or you can attach Elastic IP addresses and make your endpoint accessible to clients over the internet. Your VPC's default security groups are automatically assigned to your endpoint.

• AddressAllocationIds (list) --

  A list of address allocation IDs that are required to attach an Elastic IP address to your server's endpoint.

  Note

  This property can only be set when EndpointType is set to VPC and it is only valid in the UpdateServer API.

  • (string) --

• SubnetIds (list) --

  A list of subnet IDs that are required to host your server endpoint in your VPC.

  Note

  This property can only be set when EndpointType is set to VPC .

  • (string) --

• VpcEndpointId (string) --

  The ID of the VPC endpoint.

  Note

  This property can only be set when EndpointType is set to VPC_ENDPOINT .

  For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.

• VpcId (string) --

  The VPC ID of the VPC in which a server's endpoint will be hosted.

  Note

  This property can only be set when EndpointType is set to VPC .

• SecurityGroupIds (list) --

  A list of security groups IDs that are available to attach to your server's endpoint.

  Note

  This property can only be set when EndpointType is set to VPC .

  You can edit the SecurityGroupIds property in the UpdateServer API only if you are changing the EndpointType from PUBLIC or VPC_ENDPOINT to VPC . To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 ModifyVpcEndpoint API.

  • (string) --

type EndpointType

string

param EndpointType

The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.

Note

After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT in your Amazon Web Servicesaccount if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT in your Amazon Web Servicesaccount on or before May 19, 2021, you will not be affected. After this date, use EndpointType = VPC .

For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.

It is recommended that you use VPC as the EndpointType . With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType set to VPC_ENDPOINT .

type HostKey

string

param HostKey

The RSA, ECDSA, or ED25519 private key to use for your server.

Use the following command to generate an RSA 2048 bit key with no passphrase:

ssh-keygen -t rsa -b 2048 -N "" -m PEM -f my-new-server-key .

Use a minimum value of 2048 for the -b option. You can create a stronger key by using 3072 or 4096.

Use the following command to generate an ECDSA 256 bit key with no passphrase:

ssh-keygen -t ecdsa -b 256 -N "" -m PEM -f my-new-server-key .

Valid values for the -b option for ECDSA are 256, 384, and 521.

Use the following command to generate an ED25519 key with no passphrase:

ssh-keygen -t ed25519 -N "" -f my-new-server-key .

For all of these commands, you can replace my-new-server-key with a string of your choice.

Warning

If you aren't planning to migrate existing users from an existing SFTP-enabled server to a new server, don't update the host key. Accidentally changing a server's host key can be disruptive.

For more information, see Change the host key for your SFTP-enabled server in the Transfer Family User Guide .

type IdentityProviderDetails

dict

param IdentityProviderDetails

An array containing all of the information required to call a customer's authentication API method.

• Url (string) --

  Provides the location of the service endpoint used to authenticate users.

• InvocationRole (string) --

  Provides the type of InvocationRole used to authenticate the user account.

• DirectoryId (string) --

  The identifier of the Directory Service directory that you want to stop sharing.

• Function (string) --

  The ARN for a lambda function to use for the Identity provider.

type LoggingRole

string

param LoggingRole

The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFSevents. When set, you can view user activity in your CloudWatch logs.

type PostAuthenticationLoginBanner

string

param PostAuthenticationLoginBanner

Specifies a string to display when users connect to a server. This string is displayed after the user authenticates.

Note

The SFTP protocol does not support post-authentication display banners.

type PreAuthenticationLoginBanner

string

param PreAuthenticationLoginBanner

Specifies a string to display when users connect to a server. This string is displayed before the user authenticates. For example, the following banner displays details about using the system:

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

type Protocols

list

param Protocols

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. The available protocols are:

• Secure Shell (SSH) File Transfer Protocol (SFTP): File transfer over SSH

• File Transfer Protocol Secure (FTPS): File transfer with TLS encryption

• File Transfer Protocol (FTP): Unencrypted file transfer

Note

If you select FTPS , you must choose a certificate stored in Amazon Web ServicesCertificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS.

If Protocol includes either FTP or FTPS , then the EndpointType must be VPC and the IdentityProviderType must be AWS_DIRECTORY_SERVICE or API_GATEWAY .

If Protocol includes FTP , then AddressAllocationIds cannot be associated.

If Protocol is set only to SFTP , the EndpointType can be set to PUBLIC and the IdentityProviderType can be set to SERVICE_MANAGED .

• (string) --

type SecurityPolicyName

string

param SecurityPolicyName

Specifies the name of the security policy that is attached to the server.

type ServerId

string

param ServerId

[REQUIRED]

A system-assigned unique identifier for a server instance that the user account is assigned to.

type WorkflowDetails

dict

param WorkflowDetails

Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.

aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{"OnUpload":[]}'

• OnUpload (list) -- [REQUIRED]

  A trigger that starts a workflow: the workflow begins to execute after a file is uploaded.

  To remove an associated workflow from a server, you can provide an empty OnUpload object, as in the following example.

  aws transfer update-server --server-id s-01234567890abcdef --workflow-details '{"OnUpload":[]}'

  • (dict) --

    Specifies the workflow ID for the workflow to assign and the execution role that's used for executing the workflow.

    • WorkflowId (string) -- [REQUIRED]

      A unique identifier for the workflow.

    • ExecutionRole (string) -- [REQUIRED]

      Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources

rtype

dict

returns

Response Syntax

{
    'ServerId': 'string'
}

Response Structure

• (dict) --

  • ServerId (string) --

    A system-assigned unique identifier for a server that the user account is assigned to.