Setting up Amazon AppFlow - Amazon AppFlow

Setting up Amazon AppFlow


This section provides a list of the prerequisites for getting started with Amazon AppFlow.

  • AWS account setup — If you don't have an AWS account, you must create one. For more information, see How to create and activate a new AWS account.

  • SaaS application setup — You must verify that you have the required information about the source and destination applications, and that they meet the relevant configuration requirements. For application-specific requirements and setup instructions, see Supported source and destination applications.

  • AWS CloudFormation OAuth — If you want to use AWS CloudFormation to create a connector profile for connectors that implement OAuth (such as Salesforce, Slack, Zendesk, and Google Analytics), you must fetch the access and refresh tokens. You can do this by implementing your own UI for OAuth, or by retrieving them from elsewhere. Alternatively, you can use the Amazon AppFlow console to create the connector profile, and then use that connector profile in the flow creation AWS CloudFormation template.

  • Data encryption — Amazon AppFlow encrypts your data and connection details during transit and at rest. For more information, see Data protection in Amazon AppFlow. When you configure a flow, you specify an AWS Key Management Service CMK to use for encryption. You can choose the AWS managed customer master key (CMK) that Amazon AppFlow creates by default, named AWSDefaultEncryptionKey, or you can choose a customer managed CMK that you create. To create a CMK, see Creating symmetric CMKs in the AWS Key Management Service Developer Guide. For examples of how to set IAM permissions for KMS access, see Amazon AppFlow policy examples.

  • Identity and access management — If you access AWS as an IAM user, your administrator must grant you the permissions required to create and run flows. For more information, see Identity and access management for Amazon AppFlow.

General information for all applications

This section provides a list of general information that applies to all supported source and destination applications.

Source and destination API limits

The API calls that Amazon AppFlow makes to data sources and destinations count against any API limits for that application. For example, if you set up an hourly flow that pulls 5 pages of data from Salesforce, Amazon AppFlow will make a total of 120 daily API calls (24x5=120). This will count against your 24-hour Salesforce API limit. Exact API limits can vary depending on your licensing with the SaaS application.

IP address ranges

Amazon AppFlow operates from the AWS IP address ranges shown in the Amazon Web Services General Reference Guide. Configuring a flow connection with an incorrect URL, URI, or IP address range can return a bad gateway error. If you encounter this error, we recommend deleting your connection and creating a new one with the correct URL, URI, or IP address range. For instructions on how to create a new connection for your SaaS application, see Supported source and destination applications.


You can't use IP allow listing in your S3 bucket policy to deny access to any other IP addresses besides Amazon AppFlow IP addresses. This is because Amazon AppFlow uses a VPC endpoint when placing data in your Amazon S3 buckets. For more information about Amazon AppFlow Regions and endpoints, see Amazon AppFlow Regions and Endpoints in the AWS General Reference.

Schema changes

Amazon AppFlow only supports the automatic import of newly created Salesforce fields into Amazon S3 without requiring the user to update their flow configurations. For other source applications, Amazon AppFlow does not currently support schema changes, but you can edit your flow to reload the fields and update your mapping. For more information on how to edit a flow, see Edit an Amazon AppFlow flow.


If the source or destination fields in a flow's configuration are deleted from the source or destination application (including Salesforce), then the flow run will fail. To prevent failed flows, we recommend that you edit your flows to remove deleted fields from the mapping.