AWS::DataSync::Agent - AWS CloudFormation


The AWS::DataSync::Agent resource specifies an AWS DataSync agent to be deployed and activated on your host. The activation process associates your agent with your account. In the activation process, you specify information such as the AWS Region that you want to activate the agent in. You activate the agent in the AWS Region where your target locations (in Amazon S3, Amazon EFS, or Amazon FSx for Windows File Server) reside. Your tasks are created in this AWS Region.

You can activate the agent in a virtual private cloud (VPC) or provide the agent access to a VPC endpoint so that you can run tasks without sending them over the public internet.

You can specify an agent to be used for more than one location. If a task uses multiple agents, all of them must have a status of AVAILABLE for the task to run. If you use multiple agents for a source location, the status of all the agents must be AVAILABLE for the task to run.

For more information, see Activating an Agent in the AWS DataSync User Guide.

Agents are automatically updated by AWS on a regular basis, using a mechanism that ensures minimal interruption to your tasks.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::DataSync::Agent", "Properties" : { "ActivationKey" : String, "AgentName" : String, "SecurityGroupArns" : [ String, ... ], "SubnetArns" : [ String, ... ], "Tags" : [ Tag, ... ], "VpcEndpointId" : String } }


Type: AWS::DataSync::Agent Properties: ActivationKey: String AgentName: String SecurityGroupArns: - String SubnetArns: - String Tags: - Tag VpcEndpointId: String



Your agent activation key. You can get the activation key either by sending an HTTP GET request with redirects that enable you to get the agent IP address (port 80). Alternatively, you can get it from the DataSync console.

The redirect URL returned in the response provides you the activation key for your agent in the query string parameter activationKey. It might also include other activation-related parameters; however, these are merely defaults. The arguments you pass to this API call determine the actual configuration of your agent.

For more information, see Creating and activating an agent in the AWS DataSync User Guide.

Required: No

Type: String

Maximum: 29

Pattern: [A-Z0-9]{5}(-[A-Z0-9]{5}){4}

Update requires: Replacement


The name you configured for your agent. This value is a text reference that is used to identify the agent in the console.

Required: No

Type: String

Minimum: 1

Maximum: 256

Pattern: ^[a-zA-Z0-9\s+=._:@/-]+$

Update requires: No interruption


The Amazon Resource Names (ARNs) of the security groups used to protect your data transfer task subnets. See SecurityGroupArns.

Pattern: ^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):ec2:[a-z\-0-9]*:[0-9]{12}:security-group/.*$

Required: No

Type: List of String

Maximum: 1

Update requires: Replacement


The Amazon Resource Names (ARNs) of the subnets in which DataSync will create elastic network interfaces for each data transfer task. The agent that runs a task must be private. When you start a task that is associated with an agent created in a VPC, or one that has access to an IP address in a VPC, then the task is also private. In this case, DataSync creates four network interfaces for each task in your subnet. For a data transfer to work, the agent must be able to route to all these four network interfaces.

Required: No

Type: List of String

Maximum: 1

Update requires: Replacement


The key-value pair that represents the tag that you want to associate with the agent. The value can be an empty string. This value helps you manage, filter, and search for your agents.


Valid characters for key and value are letters, spaces, and numbers representable in UTF-8 format, and the following special characters: + - = . _ : / @.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption


The ID of the virtual private cloud (VPC) endpoint that the agent has access to. This is the client-side VPC endpoint, powered by AWS PrivateLink. If you don't have an AWS PrivateLink VPC endpoint, see AWS PrivateLink and VPC endpoints in the Amazon VPC User Guide.

For more information about activating your agent in a private network based on a VPC, see Using AWS DataSync in a Virtual Private Cloud in the AWS DataSync User Guide.

A VPC endpoint ID looks like this: vpce-01234d5aff67890e1.

Required: No

Type: String

Pattern: ^vpce-[0-9a-f]{17}$

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the agent Amazon Resource Name (ARN). For example:


For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name (ARN) of the agent. Use the ListAgents operation to return a list of agents for your account and AWS Region.


The type of endpoint that your agent is connected to. If the endpoint is a VPC endpoint, the agent is not accessible over the public internet.


DataSync Agent

The following example specifies a DataSync agent named MyAgent. The agent activation key is included in the template.


{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Specifies a DataSync agent", "Resources": { "Agent": { "Type": "AWS::DataSync::Agent", "Properties": { "ActivationKey": "AAAAA-7AAAA-GG7MC-3I9R3-27COD", "AgentName": "MyAgent" } } } }


AWSTemplateFormatVersion: 2010-09-09 Description: Specifies a DataSync agent Resources: Agent: Type: AWS::DataSync::Agent Properties: ActivationKey: AAAAA-7AAAA-GG7MC-3I9R3-27COD AgentName: MyAgent