AWS CloudFormation
User Guide (Version )

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.


Instantiates an autoscaling virtual server based on Secure File Transfer Protocol (SFTP) in AWS. When you make updates to your server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::Transfer::Server", "Properties" : { "EndpointDetails" : EndpointDetails, "EndpointType" : String, "IdentityProviderDetails" : IdentityProviderDetails, "IdentityProviderType" : String, "LoggingRole" : String, "Tags" : [ Tag, ... ] } }



The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. This parameter is required when you specify a value for the EndpointType parameter.

Required: No

Type: EndpointDetails

Update requires: No interruption


The type of VPC endpoint that you want your SFTP server to connect to. If you connect to a VPC endpoint, your SFTP server isn't accessible over the public internet.

Required: Conditional

Type: String


Update requires: No interruption


This parameter is required when the IdentityProviderType is set to API_GATEWAY. Accepts an array containing all of the information required to call a customer-supplied authentication API, including the API Gateway URL. This property is not required when the IdentityProviderType is set to SERVICE_MANAGED.

Required: No

Type: IdentityProviderDetails

Update requires: No interruption


Specifies the mode of authentication for the SFTP server. The default value is SERVICE_MANAGED, which allows you to store and access SFTP user credentials within the AWS Transfer for SFTP service. Use the API_GATEWAY value to integrate with an identity provider of your choosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call for authentication using the IdentityProviderDetails parameter.

Required: No

Type: String


Update requires: Replacement


A value that allows the service to write your SFTP users' activity to your Amazon CloudWatch logs for monitoring and auditing purposes.

Required: No

Type: String

Pattern: arn:.*role/.*

Update requires: No interruption


Key-value pairs that can be used to group and search for servers.

Required: No

Type: List of Tag

Maximum: 50

Update requires: No interruption

Return Values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ServerId, such as s-01234567890abcdef, and the server ARN, such as arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.


The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.


The Amazon Resource Name associated with the AWS Transfer SFTP server, in the form arn:aws:transfer:region:account-id:server/server-id/.

An example of a server ARN is: arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.


The service-assigned ID of the SFTP server that is created.

An example ServerId is s-01234567890abcdef.