Edit server details - AWS Transfer Family

Edit server details

After you create an AWS Transfer Family server, you can edit the server configuration.

To edit a server's configuration

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. Navigate to the Servers page.

  3. Choose the identifier in the Server ID column to see the Server details page, shown following.

    You can change the server's properties on this page by choosing Edit:

Edit the file transfer protocols

On the AWS Transfer Family console, you can edit the file transfer protocol. The file transfer protocol connects the client to your server's endpoint.

To edit the protocols

  1. On the Server details page, choose Edit next to Protocols.

  2. On the Edit protocols page, select or clear the protocol check box or check boxes to add or remove the following file transfer protocols:

    Note

    If you have an existing server enabled only for SFTP, and you want to add FTPS and FTP, you must ensure that you have the right identity provider and endpoint type settings that are compatible with FTPS and FTP.

    If you select FTPS, you must choose a certificate stored in AWS Certificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS.

    To request a new public certificate, see Request a public certificate in the AWS Certificate Manager User Guide.

    To import an existing certificate into ACM, see Importing certificates into ACM in the AWS Certificate Manager User Guide.

    To request a private certificate to use FTPS through private IP addresses, see Creating and managing a Private CA in the AWS Certificate Manager User Guide.

    Certificates with the following cryptographic algorithms and key sizes are supported:

    • 2048-bit RSA (RSA_2048)

    • 4096-bit RSA (RSA_4096)

    • Elliptic Prime Curve 256 bit (EC_prime256v1)

    • Elliptic Prime Curve 384 bit (EC_secp384r1)

    • Elliptic Prime Curve 521 bit (EC_secp521r1)

    Note

    The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

  3. Choose Save. You are returned to the Server details page.

Edit the server identity provider

On the AWS Transfer Family console, you can edit the details of your identity provider such as the API Gateway URL and invocation role. The identity provider manages user access for authentication and authorization.

Note

You can't change a server's identity provider type after you create the server. To change the identity provider, delete the server and create a new one with the identity provider that you want.

To edit the server identity provider

  1. On the Server details page, choose Edit next to Identity provider.

  2. On the Edit identity provider page, choose one of the following identity provider types:

    • Service managed – creates, manages, and stores user identities and keys in AWS Transfer Family.

    • Custom – you must provide an Amazon API Gateway URL and an AWS Identity and Access Management (IAM) role for the service to invoke your Amazon API Gateway URL endpoint. To learn more about working with custom identity providers, see Working with custom identity providers.

  3. Choose Save. You are returned to the Server details page.

Edit the server endpoint

On the AWS Transfer Family console, you can modify the server endpoint type and custom hostname.

To edit the server endpoint details

  1. On the Server details page, choose Edit next to Endpoint details.

  2. On the Edit endpoint configuration page, for Endpoint type, choose one of the following:

  3. For Custom hostname, choose one of the following:

    • None – if you don't want to use a custom domain.

      You get a server hostname provided by AWS Transfer Family. The server hostname takes the form serverId.server.transfer.regionId.amazonaws.com.

    • Amazon Route 53 DNS alias – to use a DNS alias automatically created for you in Route 53.

    • Other DNS – to use a hostname that you already own in an external DNS service.

    Choosing Amazon Route 53 DNS alias or Other DNS specifies the name resolution method to associate with your server's endpoint.

    For example, your custom domain might be sftp.inbox.example.com. A custom hostname uses a DNS name that you provide and that a DNS service can resolve. You can use Route 53 as your DNS resolver, or use your own DNS service provider. To learn how AWS Transfer Family uses Route 53 to route traffic from your custom domain to the server endpoint, see Working with custom hostnames.

  4. Choose Save. You are returned to the Server details page.

Edit Amazon CloudWatch logging

On the AWS Transfer Family console, you can enable Amazon S3 event logging using Amazon CloudWatch.

Note

If Transfer Family created a CloudWatch logging IAM role for you when you created a server, the IAM role is called AWSTransferLoggingAccess. You can use it for all your servers.

To edit the CloudWatch logging IAM role

  1. On the Server details page, choose Edit next to Additional details.

  2. On the CloudWatch logging page, do one of the following:

    • If Transfer Family created a CloudWatch logging IAM role for you when you created a server, the IAM role is called AWSTransferLoggingAccess. Choose it from the Logging role list.

    • If you chose an existing CloudWatch logging IAM role or you didn't choose a CloudWatch logging IAM role at all when you created this server, choose or modify the CloudWatch logging IAM role from the Logging role list.

    For more information about CloudWatch logging, see Log activity with CloudWatch.

    Note

    You can't view end-user activity in CloudWatch if you don't specify a logging role.

  3. Choose Save. You are returned to the Server details page.

Edit the security policy

On the AWS Transfer Family console, you can modify the security policy attached to your server.

To edit the security policy

  1. On the Server details page, choose Edit next to Additional details.

  2. On the Cryptographic algorithm options page, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

    Note

    If your endpoint is FIPS-enabled, you can't change the FIPS security policy.

    For more information about security policies, see Working with security policies.

  3. Choose Save. You are returned to the Server details page.

Change the host key for your SFTP-enabled server

Important

If you aren't planning to migrate existing users from an existing AWS SFTP-enabled server to a new AWS SFTP-enabled server, ignore this section. Accidentally changing a server's host key can be disruptive.

By default, AWS Transfer Family provides a host key for your AWS SFTP-enabled server. You can replace the default host key with a host key from another server. Do so only if you plan to move existing users from an existing AWS SFTP-enabled server to your new AWS SFTP-enabled server.

To prevent your users from getting notified to verify the authenticity of your AWS SFTP-enabled server again, import the host key for your on-premises server to the AWS SFTP-enabled server. Doing this also prevents your users from getting a warning about a potential man-in-the-middle attack.

On the AWS Transfer Family console, you can change the server host key.

To change the server host key

  1. On the Server details page, choose Edit next to Additional details.

  2. On the Server Host Key page, enter an RSA private key that will be used to identify your server when clients connect to it over the AWS SFTP-enable server.

  3. Choose Save. You are returned to the Server details page.

To change the host key using the AWS CLI, use the UpdateServer API operation and provide the new host key. If you create a new AWS SFTP-enabled server, you provide your host key as a parameter in the CreateServer API operation. You can also use the AWS CLI to update the host key.

The following example updates the host key for the specified AWS SFTP-enabled server.

--endpoint your-server-endpoint update-server --server-id "your-server-id" --host-key file://my-host-key { "ServerId": "server-id" }

Put your server online or offline

On the AWS Transfer Family console, you can bring your server online or take it offline.

To bring your server online

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. In the navigation pane, choose Servers.

  3. Select the check box of the server that is offline.

  4. For Actions, choose Start.

It can take a couple of minutes for a server to switch from offline to online.

Note

When you stop a server to take it offline, currently you are still accruing service charges for that server. To eliminate additional server-based charges, delete that server.

To take your server offline

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. In the navigation pane, choose Servers.

  3. Select the check box of the server that is online.

  4. For Actions, choose Stop.

While a server is starting up or shutting down, servers aren't available for file operations. The console doesn't show the starting and stopping states.

If you find the error condition START_FAILED or STOP_FAILED, contact AWS Support to help resolve your issues.

Delete a server

On the AWS Transfer Family console, you can delete your server.

Important

You are billed for each of the protocols enabled to access your endpoint, until you delete the server.

Warning

Deleting a server will result in all its users being deleted. Data in the bucket that was accessed using the server will not be deleted and remains accessible to AWS users that have privileges to those S3 buckets.

To delete a server

  1. Open the AWS Transfer Family console at https://console.aws.amazon.com/transfer/.

  2. In the navigation pane, choose Servers.

  3. Select the check box of the server that you want to delete.

  4. For Actions, choose Delete.

  5. In the confirmation dialog box that appears, enter the word delete, and then choose Delete to confirm that you want to delete the server.

The serer is deleted from the Servers page and you are no longer billed for it.