Create an FTP-enabled server - AWS Transfer Family

Create an FTP-enabled server

File Transfer Protocol (FTP) is a network protocol used for the transfer of data. FTP uses a separate channel for control and data transfers. The control channel is open until terminated or inactivity timeout. The data channel is active for the duration of the transfer. FTP uses clear text and does not support encryption of traffic.

To create an FTP-enabled server

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/ and select Servers from the navigation pane, then choose Create server.

  2. In Choose protocols, select FTP, and then choose Next.

  3. In Choose an identity provider, choose the identity provider that you want to use to manage user access. You have the following options:

    • Choose AWS Directory Service for Microsoft Active Directory if you want to use credentials in your Active Directory to authenticate users. You provide an AWS Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users.

      Note

      Cross-Account and Shared directories are not supported for AWS Managed Microsoft AD.

      1. For Identity provider type, choose AWS Directory Service. To learn more about working with AWS Managed Microsoft AD identity providers, see Working with AWS Directory Service for Microsoft Active Directory.

        
                                        Console screenshot showing Choose identity provider
                                            dialog box with AWS Directory Service selected.
      2. The Directory list contains all the managed directories that you have configured. Choose a directory from the list.

      3. Choose Next.

    • Choose Custom if you want to use Amazon API Gateway service to authenticate users. You provide an API Gateway endpoint and an AWS Identity and Access Management (IAM) role to access the endpoint. By doing so, you can integrate your directory service to authenticate and authorize your users.

      1. For Identity provider type, choose Custom. For more information about custom identity providers, see Working with custom identity providers.

      2. For Custom provider, enter an Amazon API Gateway URL.

        Note

        Only the API Gateway identity provider type is supported.

      3. For Invocation role, choose an IAM role to access the endpoint.

      4. Choose Next.

  4. In Choose an endpoint, do the following:

    Note

    FTP servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192-8200 (Data Channel).

    1. For Endpoint type, choose VPC hosted to host your server's endpoint. For information about setting up your VPC hosted endpoint, see Create a server in a virtual private cloud.

      Note

      Publicly accessible endpoints are not supported.

    2. For FIPS Enabled, keep the FIPS Enabled endpoint check box cleared.

      Note

      A FIPS-enabled endpoint is not supported.

    3. Choose Next.

    
                        Console screenshot showing Choose endpoint section with VPC hosted
                            selected.
  5. On the Choose domain page, choose the AWS storage service that you want to use to store and access your data over the selected protocol.

    • Choose Amazon S3 to store and access your files as objects over the selected protocol.

    • Choose Amazon EFS to store and access your files in your Amazon EFS file system over the selected protocol.

    Choose Next.

  6. In Configure additional details, do the following:

    1. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

      • Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

      • Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to transfer.amazonaws.com.

        For more information about CloudWatch logging, see Log activity with CloudWatch.

      Note
      • You can't view end-user activity in CloudWatch if you don't specify a logging role.

      • If you don't want to set up a CloudWatch logging role, choose Choose an existing role, but don't select a logging role.

      
                                Console screenshot showing CloudWatch logging section with
                                    Create new role selected.
    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

      Note

      By default, the TransferSecurityPolicy-2020-06 security policy is attached to your server.

      For more information about security policies, see Working with security policies.

      
                                Console screenshot showing cryptographic algorithm options
                                    section with a security policy selected.
    3. (Optional) For Server Host Key, keep it blank.

      Note

      This section is only for migrating users from an existing SFTP-enabled server.

      
                                Console screenshot showing server host key section.
    4. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

    5. Choose Next.

      
                                Console screenshot showing tags section.
    6. (Optional) For Post-upload file-processing WorkflowId, enter a workflow ID and a corresponding role that Transfer should assume when executing the workflow.

      
                                Console screenshot showing the tags section.
  7. In Review and create, review your choices.

    • If you want to edit any of them, choose Edit next to the step.

      Note

      You will need to review each step after the step you chose to edit.

    • If you have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations for your users.


                Console screenshot showing servers section with server ID and status of
                    starting.

Next steps – For the next step, continue on to Working with custom identity providers to set up users.