AWS::Transfer::Server
The AWS::Transfer::Server resource instantiates an autoscaling virtual
server based on a file transfer protocol in AWS. When you make updates to your server
or
when you work with users, use the service-generated ServerId property that is
assigned to the newly created server.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Transfer::Server", "Properties" : { "Certificate" :String, "Domain" :String, "EndpointDetails" :EndpointDetails, "EndpointType" :String, "IdentityProviderDetails" :IdentityProviderDetails, "IdentityProviderType" :String, "LoggingRole" :String, "Protocols" :[ Protocol, ... ], "SecurityPolicyName" :String, "Tags" :[ Tag, ... ]} }
YAML
Type: AWS::Transfer::Server Properties: Certificate:StringDomain:StringEndpointDetails:EndpointDetailsEndpointType:StringIdentityProviderDetails:IdentityProviderDetailsIdentityProviderType:StringLoggingRole:StringProtocols:- ProtocolSecurityPolicyName:StringTags:- Tag
Properties
Certificate-
The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required when
Protocolsis set toFTPS.To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.
To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.
To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.
Certificates with the following cryptographic algorithms and key sizes are supported:
-
2048-bit RSA (RSA_2048)
-
4096-bit RSA (RSA_4096)
-
Elliptic Prime Curve 256 bit (EC_prime256v1)
-
Elliptic Prime Curve 384 bit (EC_secp384r1)
-
Elliptic Prime Curve 521 bit (EC_secp521r1)
Note The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.
Required: No
Type: String
Maximum:
1600Update requires: No interruption
-
Domain-
Specifies the domain of the storage system that is used for file transfers.
Required: No
Type: String
Allowed values:
EFS | S3Update requires: Replacement
EndpointDetails-
The virtual private cloud (VPC) endpoint settings that are configured for your server. When you host your endpoint within your VPC, you can make it accessible only to resources within your VPC, or you can attach Elastic IPs and make it accessible to clients over the internet. You VPC's default security groups are automatically assigned to your endpoint.
Required: No
Type: EndpointDetails
Update requires: No interruption
EndpointType-
The type of VPC endpoint that you want your server to connect to. You can choose to connect to the public internet or a virtual private cloud (VPC) endpoint. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.
Note It is recommended that you use
VPCas theEndpointType. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible withEndpointTypeset toVPC_ENDPOINT.Required: Conditional
Type: String
Allowed values:
PUBLIC | VPC | VPC_ENDPOINTUpdate requires: No interruption
IdentityProviderDetails-
Required when
IdentityProviderTypeis set toAPI_GATEWAY. Accepts an array containing all of the information required to call a customer-supplied authentication API, including the API Gateway URL. Not required whenIdentityProviderTypeis set toSERVICE_MANAGED.Required: No
Type: IdentityProviderDetails
Update requires: No interruption
IdentityProviderType-
Specifies the mode of authentication for a server. The default value is
SERVICE_MANAGED, which allows you to store and access user credentials within the AWS Transfer Family service. Use theAPI_GATEWAYvalue to integrate with an identity provider of your choosing. TheAPI_GATEWAYsetting requires you to provide an API Gateway endpoint URL to call for authentication using theIdentityProviderDetailsparameter.Required: No
Type: String
Allowed values:
API_GATEWAY | SERVICE_MANAGEDUpdate requires: Replacement
LoggingRole-
Allows the service to write your users' activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
Required: No
Type: String
Minimum:
20Maximum:
2048Pattern:
arn:.*role/.*Update requires: No interruption
Protocols-
Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint.
Required: No
Type: List of Protocol
Maximum:
3Update requires: No interruption
SecurityPolicyName-
Specifies the name of the security policy that is attached to the server.
Required: No
Type: String
Maximum:
100Pattern:
TransferSecurityPolicy-.+Update requires: No interruption
Tags-
Key-value pairs that can be used to group and search for servers.
Required: No
Type: List of Tag
Maximum:
50Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ServerId, such as s-01234567890abcdef, and
the server ARN, such as
arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
Arn-
The Amazon Resource Name associated with the server, in the form
arn:aws:transfer:region:account-id:server/server-id/.An example of a server ARN is:
arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef. ServerId-
The service-assigned ID of the server that is created.
An example
ServerIdiss-01234567890abcdef.
Examples
Create a server with VPC hosted endpoint type
The following example creates a Secure Shell (SSH) File Transfer Protocol (SFTP)-enabled server using a VPC hosted endpoint type with a custom identity provider, a CloudWatch logging role, security policy, and tags.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "creates SFTP Server", "Resources": { "MyTransferServer": { "Type": "AWS::Transfer::Server", "Properties": { "EndpointDetails": { "AddressAllocationIds": [ "AddressAllocationId-1", "AddressAllocationId-2" ], "SubnetIds": [ "SubnetId-1", "SubnetId-2" ], "VpcId": "VpcId" }, "EndpointType": "VPC", "LoggingRole": "Logging-Role-ARN", "Protocols": [ "SFTP" ], "SecurityPolicyName": "Security-Policy-Name", "IdentityProviderDetails": { "InvocationRole": "Invocation-Role-ARN", "Url": "API_GATEWAY-Invocation-URL" }, "IdentityProviderType": "API_GATEWAY", "Tags": [ { "Key": "KeyName", "Value": "ValueName" } ] } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Description: creates SFTP Server Resources: MyTransferServer: Type : AWS::Transfer::Server Properties : EndpointDetails: AddressAllocationIds: - AddressAllocationId-1 - AddressAllocationId-2 SubnetIds: - SubnetId-1 - SubnetId-2 VpcId: VpcId EndpointType: VPC LoggingRole: Logging-Role-ARN Protocols: - SFTP SecurityPolicyName: Security-Policy-Name IdentityProviderDetails: InvocationRole: Invocation-Role-ARN Url: API_GATEWAY-Invocation-URL IdentityProviderType: API_GATEWAY Tags: - Key: KeyName Value: ValueName
See also
CreateServer in the AWS Transfer Family User Guide.
