Identity Providers Conventions DNS and Endpoints

Welcome to the AWS Transfer Family API

AWS Transfer Family offers fully managed support for the transfer of files over SFTP, AS2, FTPS, FTP, and web browser-based transfers directly into and out of AWS storage services.

File transfer protocols are used in data exchange workflows across different industries such as financial services, healthcare, advertising, and retail, among others. AWS Transfer Family simplifies the migration of file transfer workflows to AWS.

To use the AWS Transfer Family service, you instantiate a server in the AWS Region of your choice. You can create the server, list available servers, and update and delete servers. The server is the entity that requests file operations from AWS Transfer Family. Servers have a number of important properties. The server is a named instance as identified by a system assigned ServerId identifier. You can optionally assign a hostname, or even a custom hostname to a server. The service bills for any instantiated servers (even ones OFFLINE), and for the amount of data transferred.

Users must be known to the server that requests file operations. A user as identified by their username is assigned to a server. Usernames are used to authenticate requests. A server can have only one authentication method: AWS_DIRECTORY_SERVICE, SERVICE_MANAGED, AWS_LAMBDA, or API_GATEWAY.

This API interface reference for AWS Transfer Family contains documentation for a programming interface that you can use to manage AWS Transfer Family. The reference structure is as follows:

For the alphabetical list of API actions, see Actions.
For the alphabetical list of data types, see Data Types.
For a list of common query parameters, see Common Parameters.
For descriptions of the error codes, see Common Errors.

Tip

Rather than actually running a command, you can use the --generate-cli-skeleton parameter with any API call to generate and display a parameter template. You can then use the generated template to customize and use as input on a later command. For details, see Generate and use a parameter skeleton file.

Identity Providers

AWS Transfer Family supports multiple identity provider types to authenticate and manage users. Each server can use only one authentication method, which must be selected when the server is created.

Service Managed

With the SERVICE_MANAGED authentication method, user credentials are stored and managed within AWS Transfer Family. Users are authenticated using SSH public keys that are associated with their username on the server.

Each user can have one or more SSH public keys stored in the service. When a client requests a file operation, it provides the username and SSH private key, which is authenticated against the stored public key.

AWS Directory Service

The AWS_DIRECTORY_SERVICE authentication method allows you to integrate with AWS Directory Service for Microsoft Active Directory (AWS Directory Service for Microsoft Active Directory).

This option enables you to manage user authentication and access through your existing Active Directory groups. Users can authenticate using their Active Directory credentials.

There is a default limit of 100 Active Directory groups per server, which can be increased to a maximum of 150 groups through a service limit increase.

Lambda

The AWS_LAMBDA authentication method allows you to connect to a custom identity provider using AWS Lambda.

This option provides flexibility to integrate with your existing identity management systems. The Lambda function is responsible for authenticating users and returning the appropriate access policies.

Custom (API Gateway)

The API_GATEWAY authentication method (displayed as Custom in the console) allows you to use a custom authentication method that provides both user authentication and access control.

This method relies on the Amazon API Gateway to use your API call from your identity provider to validate user requests. You might use this custom method to authenticate users against a directory service, a database name/password pair, or some other mechanism.

For all authentication methods, users are assigned policies that define their access to Amazon S3 buckets or Amazon Elastic File System file systems. The server inherits the trust relationship from the user through an IAM role with an AssumeRole action, allowing it to perform file operations on behalf of the user.

Naming Conventions

AWS Transfer Family uses standardized formats for resource identifiers and Amazon Resource Names (ARNs). Understanding these conventions is important when working with the AWS Transfer Family API.

ID Formats

The following conventions are observed in AWS Transfer Family ID formats:

Server IDs: ServerId values take the form s-01234567890abcdef.
SSH Public Key IDs: SshPublicKeyId values take the form key-01234567890abcdef.
Connector IDs: ConnectorId values take the form c-01234567890abcdef.
Workflow IDs: WorkflowId values take the form w-01234567890abcdef.
Profile IDs: ProfileId values take the form p-01234567890abcdef.

ARN Formats

Amazon Resource Name (ARN) formats take the following form:

Server ARNs

For servers, ARNs take the form arn:aws:transfer:region:account-id:server/server-id.

Example: arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef.

User ARNs

For users, ARNs take the form arn:aws:transfer:region:account-id:user/server-id/username.

Example: arn:aws:transfer:us-east-1:123456789012:user/s-01234567890abcdef/user1.

Connector ARNs

For connectors, ARNs take the form arn:aws:transfer:region:account-id:connector/connector-id.

Example: arn:aws:transfer:us-east-1:123456789012:connector/c-01234567890abcdef.

Workflow ARNs

For workflows, ARNs take the form arn:aws:transfer:region:account-id:workflow/workflow-id.

Example: arn:aws:transfer:us-east-1:123456789012:workflow/w-01234567890abcdef.

You can assign tags, which are key-value pairs, to entities with an ARN. Tags are metadata that can be used to group or search for these entities. One example where tags are useful is for accounting purposes.

DNS and Endpoints

AWS Transfer Family uses standardized DNS naming conventions for both API endpoints and server endpoints. Understanding these endpoints is essential for configuring clients and making API calls.

API Endpoints

API endpoints are used for making API calls to manage AWS Transfer Family resources. These endpoints take the following forms:

Standard API Endpoints

Standard API endpoints take the form transfer.region.amazonaws.com.

Example: transfer.us-east-1.amazonaws.com

Dual-Stack API Endpoints

AWS Transfer Family offers dual-stack API endpoints that can be accessed using either IPv4 or IPv6 requests:

https://transfer.region-code.api.aws
https://transfer-fips.region-code.api.aws

Server Endpoints

Server endpoints are used by file transfer clients to connect to AWS Transfer Family servers. These endpoints take the following forms:

Standard Server Endpoints

Standard server endpoints take the form server.transfer.region.amazonaws.com.

Example: server.transfer.us-east-1.amazonaws.com

Custom Hostnames

You can also configure custom hostnames for your AWS Transfer Family servers. Custom hostnames can be used to provide a more user-friendly or branded experience for your users.

To use a custom hostname, you must:

Own the domain name
Provide a valid certificate
Configure DNS records to point to your AWS Transfer Family server

For a complete list of AWS Transfer Family endpoints by AWS Region, see the AWS Transfer Family endpoints and quotas in the AWS General Reference.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Actions