AWS::Transfer::Server - AWS CloudFormation


The AWS::Transfer::Server resource instantiates an autoscaling virtual server based on a file transfer protocol in AWS. When you make updates to your server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::Transfer::Server", "Properties" : { "Certificate" : String, "Domain" : String, "EndpointDetails" : EndpointDetails, "EndpointType" : String, "IdentityProviderDetails" : IdentityProviderDetails, "IdentityProviderType" : String, "LoggingRole" : String, "ProtocolDetails" : ProtocolDetails, "Protocols" : [ Protocol, ... ], "SecurityPolicyName" : String, "Tags" : [ Tag, ... ], "WorkflowDetails" : WorkflowDetails } }



The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when Protocols is set to FTPS.

To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.

Certificates with the following cryptographic algorithms and key sizes are supported:

  • 2048-bit RSA (RSA_2048)

  • 4096-bit RSA (RSA_4096)

  • Elliptic Prime Curve 256 bit (EC_prime256v1)

  • Elliptic Prime Curve 384 bit (EC_secp384r1)

  • Elliptic Prime Curve 521 bit (EC_secp521r1)


The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

Required: No

Type: String

Maximum: 1600

Update requires: No interruption


Specifies the domain of the storage system that is used for file transfers.

Required: No

Type: String

Allowed values: EFS | S3

Update requires: Replacement


The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IPs and make it accessible to clients over the internet. You VPC's default security groups are automatically assigned to your endpoint.

Required: No

Type: EndpointDetails

Update requires: No interruption


The type of VPC endpoint that you want your server to connect to. You can choose to connect to the public internet or a virtual private cloud (VPC) endpoint. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.


It is recommended that you use VPC as the EndpointType. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType set to VPC_ENDPOINT.

Required: Conditional

Type: String

Allowed values: PUBLIC | VPC | VPC_ENDPOINT

Update requires: No interruption


Required when IdentityProviderType is set to AWS_DIRECTORY_SERVICE or API_GATEWAY. Accepts an array containing all of the information required to use a directory in AWS_DIRECTORY_SERVICE or invoke a customer-supplied authentication API, including the API Gateway URL. Not required when IdentityProviderType is set to SERVICE_MANAGED.

Required: No

Type: IdentityProviderDetails

Update requires: No interruption


Specifies the mode of authentication for a server. The default value is SERVICE_MANAGED, which allows you to store and access user credentials within the AWS Transfer Family service.

Use AWS_DIRECTORY_SERVICE to provide access to Active Directory groups in AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment or in AWS using AD Connectors. This option also requires you to provide a Directory ID using the IdentityProviderDetails parameter.

Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.

Required: No

Type: String


Update requires: Replacement


Specifies the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a server to turn on Amazon CloudWatch logging for Amazon S3 or Amazon EFS events. When set, user activity can be viewed in your CloudWatch logs.

Required: No

Type: String

Minimum: 20

Maximum: 2048

Pattern: arn:.*role/.*

Update requires: No interruption


Protocol settings that are configured for your server.


Only valid in the UpdateServer API.

Required: No

Type: ProtocolDetails

Update requires: No interruption


Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint.

Required: No

Type: List of Protocol

Maximum: 3

Update requires: No interruption


Specifies the name of the security policy that is attached to the server.

Required: No

Type: String

Maximum: 100

Pattern: TransferSecurityPolicy-.+

Update requires: No interruption


Key-value pairs that can be used to group and search for servers.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption


Specifies the workflow ID for the workflow to assign and the execution role used for executing the workflow.

Required: No

Type: WorkflowDetails

Update requires: No interruption

Return values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the server ARN, such as arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

For more information about using the Ref function, see Ref.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name associated with the server, in the form arn:aws:transfer:region:account-id:server/server-id/.

An example of a server ARN is: arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.


The service-assigned ID of the server that is created.

An example ServerId is s-01234567890abcdef.


Create a server with VPC hosted endpoint type

The following example creates a Secure Shell (SSH) File Transfer Protocol (SFTP)-enabled server using a VPC hosted endpoint type with a custom identity provider, a CloudWatch logging role, security policy, and tags.


{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "creates SFTP Server", "Resources": { "MyTransferServer": { "Type": "AWS::Transfer::Server", "Properties": { "EndpointDetails": { "AddressAllocationIds": [ "AddressAllocationId-1", "AddressAllocationId-2" ], "SubnetIds": [ "SubnetId-1", "SubnetId-2" ], "VpcId": "VpcId" }, "EndpointType": "VPC", "LoggingRole": "Logging-Role-ARN", "Protocols": [ "SFTP" ], "SecurityPolicyName": "Security-Policy-Name", "IdentityProviderDetails": { "InvocationRole": "Invocation-Role-ARN", "Url": "API_GATEWAY-Invocation-URL" }, "IdentityProviderType": "API_GATEWAY", "Tags": [ { "Key": "KeyName", "Value": "ValueName" } ] } } } }


AWSTemplateFormatVersion: '2010-09-09' Description: creates SFTP Server Resources: MyTransferServer: Type : AWS::Transfer::Server Properties : EndpointDetails: AddressAllocationIds: - AddressAllocationId-1 - AddressAllocationId-2 SubnetIds: - SubnetId-1 - SubnetId-2 VpcId: VpcId EndpointType: VPC LoggingRole: Logging-Role-ARN Protocols: - SFTP SecurityPolicyName: Security-Policy-Name IdentityProviderDetails: InvocationRole: Invocation-Role-ARN Url: API_GATEWAY-Invocation-URL IdentityProviderType: API_GATEWAY Tags: - Key: KeyName Value: ValueName

See also

CreateServer in the AWS Transfer Family User Guide.