Create an FTPS-enabled server - AWS Transfer Family

Create an FTPS-enabled server

File Transfer Protocol over SSL (FTPS) is an extension to FTP. It uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols to encrypt traffic. FTPS allows encryption of both the control and data channel connections either concurrently or independently.

To create an FTPS-enabled server

  1. Open the AWS Transfer Family console at and choose Create server.

  2. In Choose protocols, select FTPS.

    For Server certificate, choose a certificate stored in AWS Certificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS and then choose Next.

    To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

    To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

    To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.

    Certificates with the following cryptographic algorithms and key sizes are supported:

    • 2048-bit RSA (RSA_2048)

    • 4096-bit RSA (RSA_4096)

    • Elliptic Prime Curve 256 bit (EC_prime256v1)

    • Elliptic Prime Curve 384 bit (EC_secp384r1)

    • Elliptic Prime Curve 521 bit (EC_secp521r1)


    The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

  3. In Choose an identity provider, do the following:

    1. For Identity provider type, choose Custom. For more information about custom identity providers, see Working with custom identity providers.

    2. For Custom provider, enter an Amazon API Gateway URL.


      Only identity provider type API Gateway is supported.

    3. For Invocation role, choose an AWS Identity and Access Management (IAM) role to access the endpoint.

    4. Choose Next.

  4. In Choose an endpoint, do the following:

    1. For Endpoint type, choose the VPC hosted endpoint type to host your server's endpoint. For information about setting up your VPC hosted endpoint, see Creating a server in a virtual private cloud.


      Publicly accessible endpoints are not supported.

    2. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure the endpoint complies with Federal Information Processing Standards (FIPS).


      FIPS-enabled endpoints are only available in North American AWS Regions. For available regions, see AWS Transfer Family endpoints and quotas in the AWS General Reference. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2 .

    3. Choose Next.

  5. In Configure additional details, do the following:

    1. For CloudWatch logging, choose one of the following to enable Amazon CloudWatch logging of your user activity:

      • Create a new role to allow Transfer Family to automatically create the IAM role, as long as you have the right permissions to create a new role. The IAM role that is created is called AWSTransferLoggingAccess.

      • Choose an existing role to choose an existing IAM role from your account. Under Logging role, choose the role. This IAM role should include a trust policy with Service set to

        For more information about CloudWatch logging, see Log activity with CloudWatch.

      • You can't view end-user activity in CloudWatch if you don't specify a logging role.

      • If you don't want to set up a CloudWatch logging role, choose Choose an existing role, but don't select a logging role.

    2. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.


      By default:

      • If FIPS Enabled endpoint is not selected, the TransferSecurityPolicy-2020-06 security policy is attached to your server.

      • If FIPS Enabled endpoint is selected, the TransferSecurityPolicy-FIPS-2020-06 security policy is attached to your server.

      For more information about security policies, see Working with security policies.

    3. (Optional) For Server Host Key, keep it blank.


      This section is only for migrating users from an existing SFTP-enabled server.

    4. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

    5. Choose Next.

  6. In Review and create, review your choices. If you:

    • Want to edit any of them, choose Edit next to the step.


      You will need to review each step after the step you chose to edit.

    • Have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations for your users.

Next step

Add a user