AWS::Transfer::Server
The AWS::Transfer::Server
resource instantiates an autoscaling virtual
server based on a file transfer protocol in AWS. When you make updates to your server
or
when you work with users, use the service-generated ServerId
property that is
assigned to the newly created server.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Transfer::Server", "Properties" : { "Certificate" :
String
, "Domain" :String
, "EndpointDetails" :EndpointDetails
, "EndpointType" :String
, "IdentityProviderDetails" :IdentityProviderDetails
, "IdentityProviderType" :String
, "LoggingRole" :String
, "Protocols" :[ Protocol, ... ]
, "SecurityPolicyName" :String
, "Tags" :[ Tag, ... ]
} }
YAML
Type: AWS::Transfer::Server Properties: Certificate:
String
Domain:String
EndpointDetails:EndpointDetails
EndpointType:String
IdentityProviderDetails:IdentityProviderDetails
IdentityProviderType:String
LoggingRole:String
Protocols:- Protocol
SecurityPolicyName:String
Tags:- Tag
Properties
Certificate
-
The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when
Protocols
is set toFTPS
.To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.
To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.
To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.
Certificates with the following cryptographic algorithms and key sizes are supported:
-
2048-bit RSA (RSA_2048)
-
4096-bit RSA (RSA_4096)
-
Elliptic Prime Curve 256 bit (EC_prime256v1)
-
Elliptic Prime Curve 384 bit (EC_secp384r1)
-
Elliptic Prime Curve 521 bit (EC_secp521r1)
Note The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.
Required: No
Type: String
Maximum:
1600
Update requires: No interruption
-
Domain
-
Specifies the domain of the storage system that is used for file transfers.
Required: No
Type: String
Allowed values:
EFS | S3
Update requires: Replacement
EndpointDetails
-
The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IPs and make it accessible to clients over the internet. You VPC's default security groups are automatically assigned to your endpoint.
Required: No
Type: EndpointDetails
Update requires: No interruption
EndpointType
-
The type of VPC endpoint that you want your server to connect to. You can choose to connect to the public internet or a virtual private cloud (VPC) endpoint. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.
Note It is recommended that you use
VPC
as theEndpointType
. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible withEndpointType
set toVPC_ENDPOINT
.Required: Conditional
Type: String
Allowed values:
PUBLIC | VPC | VPC_ENDPOINT
Update requires: No interruption
IdentityProviderDetails
-
Required when
IdentityProviderType
is set toAPI_GATEWAY
. Accepts an array containing all of the information required to call a customer-supplied authentication API, including the API Gateway URL. Not required whenIdentityProviderType
is set toSERVICE_MANAGED
.Required: No
Type: IdentityProviderDetails
Update requires: No interruption
IdentityProviderType
-
Specifies the mode of authentication for a server. The default value is
SERVICE_MANAGED
, which allows you to store and access user credentials within the AWS Transfer Family service. Use theAPI_GATEWAY
value to integrate with an identity provider of your choosing. TheAPI_GATEWAY
setting requires you to provide an API Gateway endpoint URL to call for authentication using theIdentityProviderDetails
parameter.Required: No
Type: String
Allowed values:
API_GATEWAY | SERVICE_MANAGED
Update requires: Replacement
LoggingRole
-
Allows the service to write your users' activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
Required: No
Type: String
Minimum:
20
Maximum:
2048
Pattern:
arn:.*role/.*
Update requires: No interruption
Protocols
-
Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint.
Required: No
Type: List of Protocol
Maximum:
3
Update requires: No interruption
SecurityPolicyName
-
Specifies the name of the security policy that is attached to the server.
Required: No
Type: String
Maximum:
100
Pattern:
TransferSecurityPolicy-.+
Update requires: No interruption
Tags
-
Key-value pairs that can be used to group and search for servers.
Required: No
Type: List of Tag
Maximum:
50
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the ServerId, such as s-01234567890abcdef
, and
the server ARN, such as
arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef
.
For more information about using the Ref
function, see Ref.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt.
Arn
-
The Amazon Resource Name associated with the server, in the form
arn:aws:transfer:region:account-id:server/server-id/
.An example of a server ARN is:
arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef
. ServerId
-
The service-assigned ID of the server that is created.
An example
ServerId
iss-01234567890abcdef
.
Examples
Create a server with VPC hosted endpoint type
The following example creates a Secure Shell (SSH) File Transfer Protocol (SFTP)-enabled server using a VPC hosted endpoint type with a custom identity provider, a CloudWatch logging role, security policy, and tags.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "creates SFTP Server", "Resources": { "MyTransferServer": { "Type": "AWS::Transfer::Server", "Properties": { "EndpointDetails": { "AddressAllocationIds": [ "AddressAllocationId-1", "AddressAllocationId-2" ], "SubnetIds": [ "SubnetId-1", "SubnetId-2" ], "VpcId": "VpcId" }, "EndpointType": "VPC", "LoggingRole": "Logging-Role-ARN", "Protocols": [ "SFTP" ], "SecurityPolicyName": "Security-Policy-Name", "IdentityProviderDetails": { "InvocationRole": "Invocation-Role-ARN", "Url": "API_GATEWAY-Invocation-URL" }, "IdentityProviderType": "API_GATEWAY", "Tags": [ { "Key": "KeyName", "Value": "ValueName" } ] } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: creates SFTP Server Resources: MyTransferServer: Type : AWS::Transfer::Server Properties : EndpointDetails: AddressAllocationIds: - AddressAllocationId-1 - AddressAllocationId-2 SubnetIds: - SubnetId-1 - SubnetId-2 VpcId: VpcId EndpointType: VPC LoggingRole: Logging-Role-ARN Protocols: - SFTP SecurityPolicyName: Security-Policy-Name IdentityProviderDetails: InvocationRole: Invocation-Role-ARN Url: API_GATEWAY-Invocation-URL IdentityProviderType: API_GATEWAY Tags: - Key: KeyName Value: ValueName
See also
CreateServer in the AWS Transfer Family User Guide.