Syntax Properties Return values Examples See also

AWS::Transfer::Server

The AWS::Transfer::Server resource instantiates an autoscaling virtual server based on a file transfer protocol in AWS. When you make updates to your server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::Transfer::Server",
  "Properties" : {
      "Certificate" : String,
      "Domain" : String,
      "EndpointDetails" : EndpointDetails,
      "EndpointType" : String,
      "IdentityProviderDetails" : IdentityProviderDetails,
      "IdentityProviderType" : String,
      "LoggingRole" : String,
      "ProtocolDetails" : ProtocolDetails,
      "Protocols" : [ Protocol, ... ],
      "SecurityPolicyName" : String,
      "Tags" : [ Tag, ... ],
      "WorkflowDetails" : WorkflowDetails
    }
}

YAML


Type: AWS::Transfer::Server
Properties: 
  Certificate: String
  Domain: String
  EndpointDetails: 
    EndpointDetails
  EndpointType: String
  IdentityProviderDetails: 
    IdentityProviderDetails
  IdentityProviderType: String
  LoggingRole: String
  ProtocolDetails: 
    ProtocolDetails
  Protocols: 
    - Protocol
  SecurityPolicyName: String
  Tags: 
    - Tag
  WorkflowDetails: 
    WorkflowDetails

Properties

Certificate

The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS.

To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.

Certificates with the following cryptographic algorithms and key sizes are supported:

2048-bit RSA (RSA_2048)
4096-bit RSA (RSA_4096)
Elliptic Prime Curve 256 bit (EC_prime256v1)
Elliptic Prime Curve 384 bit (EC_secp384r1)
Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

Required: No

Type: String

Maximum: 1600

Update requires: No interruption

Domain

Specifies the domain of the storage system that is used for file transfers.

Required: No

Type: String

Allowed values: EFS | S3

Update requires: Replacement

EndpointDetails

The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IPs and make it accessible to clients over the internet. You VPC's default security groups are automatically assigned to your endpoint.

Required: No

Type: EndpointDetails

Update requires: No interruption

EndpointType

The type of VPC endpoint that you want your server to connect to. You can choose to connect to the public internet or a virtual private cloud (VPC) endpoint. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.

Note

It is recommended that you use VPC as the EndpointType. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType set to VPC_ENDPOINT.

Required: Conditional

Type: String

Allowed values: PUBLIC | VPC | VPC_ENDPOINT

Update requires: No interruption

IdentityProviderDetails

Required when IdentityProviderType is set to AWS_DIRECTORY_SERVICE or API_GATEWAY. Accepts an array containing all of the information required to use a directory in AWS_DIRECTORY_SERVICE or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when IdentityProviderType is set to SERVICE_MANAGED.

Required: No

Type: IdentityProviderDetails

Update requires: No interruption

IdentityProviderType

Specifies the mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the AWS Transfer Family service.

Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment or in AWS using AD Connectors. This option also requires you to provide a Directory ID using the IdentityProviderDetails parameter.

Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.

Required: No

Type: String

Allowed values: API_GATEWAY | AWS_DIRECTORY_SERVICE | SERVICE_MANAGED

Update requires: Replacement

LoggingRole

Specifies the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.

Required: No

Type: String

Minimum: 20

Maximum: 2048

Pattern: arn:.*role/.*

Update requires: No interruption

ProtocolDetails

Protocol settings that are configured for your server.

Note

Only valid in the UpdateServer API.

Required: No

Type: ProtocolDetails

Update requires: No interruption

Protocols

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint.

Required: No

Type: List of Protocol

Maximum: 3

Update requires: No interruption

SecurityPolicyName

Specifies the name of the security policy that is attached to the server.

Required: No

Type: String

Maximum: 100

Pattern: TransferSecurityPolicy-.+

Update requires: No interruption

Tags

Key-value pairs that can be used to group and search for servers.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption

WorkflowDetails

Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.

Required: No

Type: WorkflowDetails

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the server ARN, such as arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Arn

The Amazon Resource Name associated with the server, in the form arn:aws:transfer:region:account-id:server/server-id/.

An example of a server ARN is: arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

ServerId

The service-assigned ID of the server that is created.

An example ServerId is s-01234567890abcdef.

Examples

Create a server with VPC hosted endpoint type

The following example creates a Secure Shell (SSH) File Transfer Protocol (SFTP)-enabled server using a VPC hosted endpoint type with a custom identity provider, a CloudWatch logging role, security policy, and tags.

JSON


{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "creates SFTP Server",
    "Resources": {
        "MyTransferServer": {
            "Type": "AWS::Transfer::Server",
            "Properties": {
                "EndpointDetails": {
                    "AddressAllocationIds": [
                        "AddressAllocationId-1",
                        "AddressAllocationId-2"
                    ],
                    "SubnetIds": [
                        "SubnetId-1",
                        "SubnetId-2"
                    ],
                    "VpcId": "VpcId"
                },
                "EndpointType": "VPC",
                "LoggingRole": "Logging-Role-ARN",
                "Protocols": [
                    "SFTP"
                ],
                "SecurityPolicyName": "Security-Policy-Name",
                "IdentityProviderDetails": {
                    "InvocationRole": "Invocation-Role-ARN",
                    "Url": "API_GATEWAY-Invocation-URL"
                },
                "IdentityProviderType": "API_GATEWAY",
                "Tags": [
                    {
                        "Key": "KeyName",
                        "Value": "ValueName"
                    }
                ]
            }
        }
    }
}

YAML


AWSTemplateFormatVersion: '2010-09-09'
Description: creates SFTP Server
Resources:
    MyTransferServer:
      Type : AWS::Transfer::Server
      Properties :
        EndpointDetails:
          AddressAllocationIds:
            - AddressAllocationId-1
            - AddressAllocationId-2
          SubnetIds:
            - SubnetId-1
            - SubnetId-2
          VpcId: VpcId
        EndpointType: VPC
        LoggingRole: Logging-Role-ARN
        Protocols: 
            - SFTP
        SecurityPolicyName: Security-Policy-Name
        IdentityProviderDetails: 
            InvocationRole: Invocation-Role-ARN
            Url: API_GATEWAY-Invocation-URL
        IdentityProviderType: API_GATEWAY
        Tags: 
          - Key: KeyName
            Value: ValueName