Key management - AWS Transfer Family

Key management

In this section, you can find information about SSH keys, how to generate them and how to rotate them.

Generate SSH keys

You can set up your server to authenticate users using the service-managed authentication method, where user names and SSH keys are stored within the service. The user’s public SSH key is uploaded to the server as a user's property. This key is used by the server as part of a standard key based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored per user, see the AWS service quotas in the AWS General Reference.

A server can only authenticate users using a single method, and that method cannot be changed after the server is created. As an alternative to using SSH keys, you can authenticate users using a custom identity provider. This allows you to plug in an existing identity provider using an API Gateway endpoint. For more information, see Authenticate using custom identity providers.

There are many ways to create an SSH key pair. On the macOS, Linux, or UNIX operating systems, you can use the ssh-keygen command at the command line interface for that purpose. The following is an example of the ssh-keygen output for the command listed below.

ssh-keygen -P "" -f key_name

When you run the ssh-keygen command as shown preceding, it creates the public and private keys as files in the current directory.

Create SSH keys on Windows

Windows uses a slightly different SSH key pair format. The public key must be in the PUB format, and the private key must be in the PPK format. On Windows, you can use PuTTYgen to create an SSH key pair in the appropriate formats. You can also use PuTTYgen to convert a private key generated using ssh-keygen to a PPK file. If you present WinSCP with a private key file not in PPK format, that client offers to convert the key into PPK format for you.

To view a tutorial on creating SSH keys using PuTTYgen on Windows, see the website.

Rotate SSH keys

For security, we recommend the best practice of rotating your SSH keys. Usually, this rotation is specified as a part of a security policy and is implemented in some automated fashion. Depending upon the level of security, for a highly sensitive communication, an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys. However, it is much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on users. A time interval of three months is common.

There are two methods used to perform SSH key rotation:

  • For a single user, the SSH public key can be deleted in the console and a new SSH public key can be uploaded.

  • For multiple users, you can update existing users using the UpdateUsers API command and a JSON data file.

To perform a key rotation for a single existing user

  1. Open the AWS Transfer Family console at

  2. Navigate to the Servers page.

  3. Choose the identifier in the Server ID column to see the Server details page.

  4. Under Users, choose the user whose SSH public key that you want to replace.

  5. Choose the SSH public key (fingerprint) that you want to rotate, and then choose Delete.

  6. Confirm the deletion operation by entering the word delete for Confirm Deletion, and then choose Delete.

  7. Choose Add SSH public key to see the Add key screen.

    You return to the User details page, and the new SSH public key that you just uploaded appears in the SSH public keys section.

To perform SSH public key rotation for multiple users, prepare the appropriate JSON data file and issue the UpdateUser API command.