2024/04/03 - AWS Transfer Family - 4 updated api methods
Changes Add ability to specify Security Policies for SFTP Connectors
{'SecurityPolicyName': 'string'}
Creates the connector, which captures the parameters for a connection for the AS2 or SFTP protocol. For AS2, the connector is required for sending files to an externally hosted AS2 server. For SFTP, the connector is required when sending files to an SFTP server or receiving files from an SFTP server. For more details about connectors, see Configure AS2 connectors and Create SFTP connectors.
Note
You must specify exactly one configuration object: either for AS2 ( As2Config ) or SFTP ( SftpConfig ).
See also: AWS API Documentation
Request Syntax
client.create_connector(
Url='string',
As2Config={
'LocalProfileId': 'string',
'PartnerProfileId': 'string',
'MessageSubject': 'string',
'Compression': 'ZLIB'|'DISABLED',
'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
'MdnResponse': 'SYNC'|'NONE',
'BasicAuthSecretId': 'string'
},
AccessRole='string',
LoggingRole='string',
Tags=[
{
'Key': 'string',
'Value': 'string'
},
],
SftpConfig={
'UserSecretId': 'string',
'TrustedHostKeys': [
'string',
]
},
SecurityPolicyName='string'
)
string
[REQUIRED]
The URL of the partner's AS2 or SFTP endpoint.
dict
A structure that contains the parameters for an AS2 connector object.
LocalProfileId (string) --
A unique identifier for the AS2 local profile.
PartnerProfileId (string) --
A unique identifier for the partner profile for the connector.
MessageSubject (string) --
Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.
Compression (string) --
Specifies whether the AS2 file is compressed.
EncryptionAlgorithm (string) --
The algorithm that is used to encrypt the file.
Note the following:
Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.
You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.
SigningAlgorithm (string) --
The algorithm that is used to sign the AS2 messages sent with the connector.
MdnSigningAlgorithm (string) --
The signing algorithm for the MDN response.
Note
If set to DEFAULT (or not set at all), the value for SigningAlgorithm is used.
MdnResponse (string) --
Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:
SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).
NONE : Specifies that no MDN response is required.
BasicAuthSecretId (string) --
Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.
The default value for this parameter is null , which indicates that Basic authentication is not enabled for the connector.
If the connector should use Basic authentication, the secret needs to be in the following format:
{ "Username": "user-name", "Password": "user-password" }
Replace user-name and user-password with the credentials for the actual user that is being authenticated.
Note the following:
You are storing these credentials in Secrets Manager, not passing them directly into this API.
If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.
If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:
update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'
string
[REQUIRED]
Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.
For AS2 connectors
With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .
If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.
For SFTP connectors
Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.
string
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
list
Key-value pairs that can be used to group and search for connectors. Tags are metadata attached to connectors for any purpose.
(dict) --
Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.
Key (string) -- [REQUIRED]
The name assigned to the tag that you create.
Value (string) -- [REQUIRED]
Contains one or more values that you assigned to the key name you create.
dict
A structure that contains the parameters for an SFTP connector object.
UserSecretId (string) --
The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.
TrustedHostKeys (list) --
The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.
The three standard SSH public key format elements are <key type> , <body base64> , and an optional <comment> , with spaces between each element. Specify only the <key type> and <body base64> : do not enter the <comment> portion of the key.
For the trusted host key, Transfer Family accepts RSA and ECDSA keys.
For RSA keys, the <key type> string is ssh-rsa .
For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256 , ecdsa-sha2-nistp384 , or ecdsa-sha2-nistp521 , depending on the size of the key you generated.
Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com .
ssh-keyscan ftp.host.com
This prints the public host key to standard output.
ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key
Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.
(string) --
string
Specifies the name of the security policy for the connector.
dict
Response Syntax
{
'ConnectorId': 'string'
}
Response Structure
(dict) --
ConnectorId (string) --
The unique identifier for the connector, returned after the API call succeeds.
{'Connector': {'SecurityPolicyName': 'string'}}
Describes the connector that's identified by the ConnectorId.
See also: AWS API Documentation
Request Syntax
client.describe_connector(
ConnectorId='string'
)
string
[REQUIRED]
The unique identifier for the connector.
dict
Response Syntax
{
'Connector': {
'Arn': 'string',
'ConnectorId': 'string',
'Url': 'string',
'As2Config': {
'LocalProfileId': 'string',
'PartnerProfileId': 'string',
'MessageSubject': 'string',
'Compression': 'ZLIB'|'DISABLED',
'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
'MdnResponse': 'SYNC'|'NONE',
'BasicAuthSecretId': 'string'
},
'AccessRole': 'string',
'LoggingRole': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SftpConfig': {
'UserSecretId': 'string',
'TrustedHostKeys': [
'string',
]
},
'ServiceManagedEgressIpAddresses': [
'string',
],
'SecurityPolicyName': 'string'
}
}
Response Structure
(dict) --
Connector (dict) --
The structure that contains the details of the connector.
Arn (string) --
The unique Amazon Resource Name (ARN) for the connector.
ConnectorId (string) --
The unique identifier for the connector.
Url (string) --
The URL of the partner's AS2 or SFTP endpoint.
As2Config (dict) --
A structure that contains the parameters for an AS2 connector object.
LocalProfileId (string) --
A unique identifier for the AS2 local profile.
PartnerProfileId (string) --
A unique identifier for the partner profile for the connector.
MessageSubject (string) --
Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.
Compression (string) --
Specifies whether the AS2 file is compressed.
EncryptionAlgorithm (string) --
The algorithm that is used to encrypt the file.
Note the following:
Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.
You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.
SigningAlgorithm (string) --
The algorithm that is used to sign the AS2 messages sent with the connector.
MdnSigningAlgorithm (string) --
The signing algorithm for the MDN response.
Note
If set to DEFAULT (or not set at all), the value for SigningAlgorithm is used.
MdnResponse (string) --
Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:
SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).
NONE : Specifies that no MDN response is required.
BasicAuthSecretId (string) --
Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.
The default value for this parameter is null , which indicates that Basic authentication is not enabled for the connector.
If the connector should use Basic authentication, the secret needs to be in the following format:
{ "Username": "user-name", "Password": "user-password" }
Replace user-name and user-password with the credentials for the actual user that is being authenticated.
Note the following:
You are storing these credentials in Secrets Manager, not passing them directly into this API.
If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.
If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:
update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'
AccessRole (string) --
Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.
For AS2 connectors
With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .
If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.
For SFTP connectors
Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.
LoggingRole (string) --
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
Tags (list) --
Key-value pairs that can be used to group and search for connectors.
(dict) --
Creates a key-value pair for a specific resource. Tags are metadata that you can use to search for and group a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can take more than one value. For example, to group servers for accounting purposes, you might create a tag called Group and assign the values Research and Accounting to that group.
Key (string) --
The name assigned to the tag that you create.
Value (string) --
Contains one or more values that you assigned to the key name you create.
SftpConfig (dict) --
A structure that contains the parameters for an SFTP connector object.
UserSecretId (string) --
The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.
TrustedHostKeys (list) --
The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.
The three standard SSH public key format elements are <key type> , <body base64> , and an optional <comment> , with spaces between each element. Specify only the <key type> and <body base64> : do not enter the <comment> portion of the key.
For the trusted host key, Transfer Family accepts RSA and ECDSA keys.
For RSA keys, the <key type> string is ssh-rsa .
For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256 , ecdsa-sha2-nistp384 , or ecdsa-sha2-nistp521 , depending on the size of the key you generated.
Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com .
ssh-keyscan ftp.host.com
This prints the public host key to standard output.
ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key
Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.
(string) --
ServiceManagedEgressIpAddresses (list) --
The list of egress IP addresses of this connector. These IP addresses are assigned automatically when you create the connector.
(string) --
SecurityPolicyName (string) --
The text name of the security policy for the specified connector.
{'SecurityPolicy': {'Protocols': ['SFTP | FTPS'],
'SshHostKeyAlgorithms': ['string'],
'Type': 'SERVER | CONNECTOR'}}
Describes the security policy that is attached to your server or SFTP connector. The response contains a description of the security policy's properties. For more information about security policies, see Working with security policies for servers or Working with security policies for SFTP connectors.
See also: AWS API Documentation
Request Syntax
client.describe_security_policy(
SecurityPolicyName='string'
)
string
[REQUIRED]
Specify the text name of the security policy for which you want the details.
dict
Response Syntax
{
'SecurityPolicy': {
'Fips': True|False,
'SecurityPolicyName': 'string',
'SshCiphers': [
'string',
],
'SshKexs': [
'string',
],
'SshMacs': [
'string',
],
'TlsCiphers': [
'string',
],
'SshHostKeyAlgorithms': [
'string',
],
'Type': 'SERVER'|'CONNECTOR',
'Protocols': [
'SFTP'|'FTPS',
]
}
}
Response Structure
(dict) --
SecurityPolicy (dict) --
An array containing the properties of the security policy.
Fips (boolean) --
Specifies whether this policy enables Federal Information Processing Standards (FIPS). This parameter applies to both server and connector security policies.
SecurityPolicyName (string) --
The text name of the specified security policy.
SshCiphers (list) --
Lists the enabled Secure Shell (SSH) cipher encryption algorithms in the security policy that is attached to the server or connector. This parameter applies to both server and connector security policies.
(string) --
SshKexs (list) --
Lists the enabled SSH key exchange (KEX) encryption algorithms in the security policy that is attached to the server or connector. This parameter applies to both server and connector security policies.
(string) --
SshMacs (list) --
Lists the enabled SSH message authentication code (MAC) encryption algorithms in the security policy that is attached to the server or connector. This parameter applies to both server and connector security policies.
(string) --
TlsCiphers (list) --
Lists the enabled Transport Layer Security (TLS) cipher encryption algorithms in the security policy that is attached to the server.
Note
This parameter only applies to security policies for servers.
(string) --
SshHostKeyAlgorithms (list) --
Lists the host key algorithms for the security policy.
Note
This parameter only applies to security policies for connectors.
(string) --
Type (string) --
The resource type to which the security policy applies, either server or connector.
Protocols (list) --
Lists the file transfer protocols that the security policy applies to.
(string) --
{'SecurityPolicyName': 'string'}
Updates some of the parameters for an existing connector. Provide the ConnectorId for the connector that you want to update, along with the new values for the parameters to update.
See also: AWS API Documentation
Request Syntax
client.update_connector(
ConnectorId='string',
Url='string',
As2Config={
'LocalProfileId': 'string',
'PartnerProfileId': 'string',
'MessageSubject': 'string',
'Compression': 'ZLIB'|'DISABLED',
'EncryptionAlgorithm': 'AES128_CBC'|'AES192_CBC'|'AES256_CBC'|'DES_EDE3_CBC'|'NONE',
'SigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE',
'MdnSigningAlgorithm': 'SHA256'|'SHA384'|'SHA512'|'SHA1'|'NONE'|'DEFAULT',
'MdnResponse': 'SYNC'|'NONE',
'BasicAuthSecretId': 'string'
},
AccessRole='string',
LoggingRole='string',
SftpConfig={
'UserSecretId': 'string',
'TrustedHostKeys': [
'string',
]
},
SecurityPolicyName='string'
)
string
[REQUIRED]
The unique identifier for the connector.
string
The URL of the partner's AS2 or SFTP endpoint.
dict
A structure that contains the parameters for an AS2 connector object.
LocalProfileId (string) --
A unique identifier for the AS2 local profile.
PartnerProfileId (string) --
A unique identifier for the partner profile for the connector.
MessageSubject (string) --
Used as the Subject HTTP header attribute in AS2 messages that are being sent with the connector.
Compression (string) --
Specifies whether the AS2 file is compressed.
EncryptionAlgorithm (string) --
The algorithm that is used to encrypt the file.
Note the following:
Do not use the DES_EDE3_CBC algorithm unless you must support a legacy client that requires it, as it is a weak encryption algorithm.
You can only specify NONE if the URL for your connector uses HTTPS. Using HTTPS ensures that no traffic is sent in clear text.
SigningAlgorithm (string) --
The algorithm that is used to sign the AS2 messages sent with the connector.
MdnSigningAlgorithm (string) --
The signing algorithm for the MDN response.
Note
If set to DEFAULT (or not set at all), the value for SigningAlgorithm is used.
MdnResponse (string) --
Used for outbound requests (from an Transfer Family server to a partner AS2 server) to determine whether the partner response for transfers is synchronous or asynchronous. Specify either of the following values:
SYNC : The system expects a synchronous MDN response, confirming that the file was transferred successfully (or not).
NONE : Specifies that no MDN response is required.
BasicAuthSecretId (string) --
Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in Secrets Manager.
The default value for this parameter is null , which indicates that Basic authentication is not enabled for the connector.
If the connector should use Basic authentication, the secret needs to be in the following format:
{ "Username": "user-name", "Password": "user-password" }
Replace user-name and user-password with the credentials for the actual user that is being authenticated.
Note the following:
You are storing these credentials in Secrets Manager, not passing them directly into this API.
If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the Amazon Web Services management console, you can have the system create the secret for you.
If you have previously enabled Basic authentication for a connector, you can disable it by using the UpdateConnector API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:
update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'
string
Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the Identity and Access Management role to use.
For AS2 connectors
With AS2, you can send files by calling StartFileTransfer and specifying the file paths in the request parameter, SendFilePaths . We use the file’s parent directory (for example, for --send-file-paths /bucket/dir/file.txt , parent directory is /bucket/dir/ ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the AccessRole needs to provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with StartFileTransfer .
If you are using Basic authentication for your AS2 connector, the access role requires the secretsmanager:GetSecretValue permission for the secret. If the secret is encrypted using a customer-managed key instead of the Amazon Web Services managed key in Secrets Manager, then the role also needs the kms:Decrypt permission for that key.
For SFTP connectors
Make sure that the access role provides read and write access to the parent directory of the file location that's used in the StartFileTransfer request. Additionally, make sure that the role provides secretsmanager:GetSecretValue permission to Secrets Manager.
string
The Amazon Resource Name (ARN) of the Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
dict
A structure that contains the parameters for an SFTP connector object.
UserSecretId (string) --
The identifier for the secret (in Amazon Web Services Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier must be the Amazon Resource Name (ARN) of the secret.
TrustedHostKeys (list) --
The public portion of the host key, or keys, that are used to identify the external server to which you are connecting. You can use the ssh-keyscan command against the SFTP server to retrieve the necessary key.
The three standard SSH public key format elements are <key type> , <body base64> , and an optional <comment> , with spaces between each element. Specify only the <key type> and <body base64> : do not enter the <comment> portion of the key.
For the trusted host key, Transfer Family accepts RSA and ECDSA keys.
For RSA keys, the <key type> string is ssh-rsa .
For ECDSA keys, the <key type> string is either ecdsa-sha2-nistp256 , ecdsa-sha2-nistp384 , or ecdsa-sha2-nistp521 , depending on the size of the key you generated.
Run this command to retrieve the SFTP server host key, where your SFTP server name is ftp.host.com .
ssh-keyscan ftp.host.com
This prints the public host key to standard output.
ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key
Copy and paste this string into the TrustedHostKeys field for the create-connector command or into the Trusted host keys field in the console.
(string) --
string
Specifies the name of the security policy for the connector.
dict
Response Syntax
{
'ConnectorId': 'string'
}
Response Structure
(dict) --
ConnectorId (string) --
Returns the identifier of the connector object that you are updating.