# Creating SFTP connectors
This topic describes how to create SFTP connectors. Each connector provides the ability to connect with one remote SFTP server. You perform the following high-level tasks to configure an SFTP connector.
**Note**
For VPC-based connectors that route traffic through your Virtual Private Cloud, see [Create an SFTP connector with VPC-based egress](create-vpc-sftp-connector-procedure.md).
1. Store the authentication credentials for the connector in AWS Secrets Manager.
1. Create the connector, by specifying the secret ARN, the remote server's URL or Resource Configuration ARN, the security policy containing the algorithms that will be supported by the connector, and other configuration settings.
1. After you create the connector, you can test it to ensure that it can establish connections with the remote SFTP server.
## Choosing SFTP connector egress type
When you create a SFTP connector, you choose the Egress Type between "Service managed" and "VPC Lattice".
+ **Service managed** (default): The connector uses NAT gateways and IP addresses owned by AWS Transfer Family to route connections over the public internet. The service provides 3 static IP addresses for your connectors that need to be allowlisted on the remote servers to establish connections.
+ **VPC Lattice**: The connector routes traffic through your VPC environment using Amazon VPC Lattice. Use VPC connectivity for SFTP connectors in these scenarios:
+ **Private SFTP servers**: Connect to SFTP servers that are only accessible from your VPC
+ **On-premises connectivity**: Connect to on-premises SFTP servers through AWS Direct Connect or AWS Virtual Private Network connections
+ **Custom IP addresses**: Present your own NAT gateways and Elastic IP addresses to the remote server
+ **Centralized security controls**: Route file transfers through your organization's central ingress/egress controls
The following matrix helps you choose the right connector type for your use-cases.
**SFTP Connector Egress Type matrix**
| Capability | Egress Type = Service managed | Egress Type = VPC Lattice |
| --- | --- | --- |
| Connectivity to Publicly hosted (internet-accessible) SFTP servers | Supported | Supported1 |
| Connectivity to Privately hosted (on-premises) SFTP servers | Not supported | Supported2 |
| Connectivity to Privately hosted (in-VPC) SFTP servers | Not supported | Supported |
| Static IP addresses presented to remote SFTP server | Supported via service supplied static IP addresses | Supported via customer owned static IP addresses |
| Bandwidth available | 50 MBPS per account | Higher bandwidth, as available from customer owned Resource Gateway and NAT Gateway |
| Traffic routing to internet over customer-owned NAT Gateways and Network Firewalls | Not supported. NAT Gateways are owned and managed by Transfer Family service. | Supported |
1 *With Egress Type = VPC Lattice, connectivity to publicly hosted servers is supported using the egress infrastructure (NAT Gateways) setup in your egress VPCs.*
2 *With Egress Type = VPC Lattice, connectivity to privately hosted servers is supported using existing networks in your VPC, such as AWS Direct Connect or VPN.*
## Choosing IP addressing mode
When you create an SFTP connector with service-managed egress, you can choose between two IP addressing modes:
+ **IPv4 only** (default): The connector uses IPv4 addresses exclusively to connect to the remote SFTP server. This is the default mode when creating connectors through the console, AWS CLI, or API.
+ **Dual-stack**: The connector supports both IPv6 and IPv4 addresses. In dual-stack mode, the connector prefers IPv6 when DNS resolution returns IPv6 results, and uses IPv4 when only IPv4 DNS results are returned.
**Note**
IP addressing mode applies only to connectors with service-managed egress type. Connectors that use VPC Lattice egress do not support this setting.
**Topics**
+ [
## Choosing SFTP connector egress type
](#choosing-egress-type)
+ [
## Choosing IP addressing mode
](#choosing-ip-address-type)
+ [
# Store authentication credentials for SFTP connectors in Secrets Manager
](sftp-connector-secret-procedure.md)
+ [
# Create an SFTP connector with service-managed egress
](create-sftp-connector-procedure.md)
+ [
# Create an SFTP connector with VPC-based egress
](create-vpc-sftp-connector-procedure.md)
+ [
# Test an SFTP connector
](test-sftp-connector.md)
# Store authentication credentials for SFTP connectors in Secrets Manager
Store credentials in Secrets Manager
You can use Secrets Manager to store user credentials for your SFTP connectors. When you create your secret, you must provide a username. Additionally, you can provide either a password, a private key, or both. For details, see [Quotas for SFTP connectors](scale-and-limits-sftp-connector.md#limits-sftp-connector).
**Note**
When you store secrets in Secrets Manager, your AWS account incurs charges. For information about pricing, see [AWS Secrets Manager Pricing](https://aws.amazon.com/secrets-manager/pricing).
**To store user credentials in Secrets Manager for an SFTP connector**
1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. In the left navigation pane, choose **Secrets**.
1. On the **Secrets** page, choose **Store a new secret**.
1. On the **Choose secret type** page, for **Secret type**, choose **Other type of secret**.
1. Provide the key/value information for your secret: you need to provide the username, and either a private key or a password.
1. In the **Key/value pairs** section, choose the **Key/value** tab.
+ **Key** – Enter **Username**.
+ **value** – Enter the name of the user that is authorized to connect to the partner's server.
1. If you want to provide a key pair, choose **Add row**, and in the **Key/value pairs** section, choose the **Key/value** tab.
+ **Key** – Enter **PrivateKey**.
+ **value** – paste in your private key.
**Tip**: The private key data that you enter must correspond to the public key that is stored for this user on the remote SFTP server.
**Note**
It is not possible to use a passphrase-protected private key for authentication with an AWS Transfer Family SFTP connector.
For details on how to generate a public/private key pair, see [Creating SSH keys on macOS, Linux, or Unix](macOS-linux-unix-ssh.md).
1. If you want to provide a password, choose **Add row**, and in the **Key/value pairs** section, choose the **Key/value** tab.
+ **Key** – Enter **Password**.
+ **value** – Enter the password for the user.
1. Choose **Next**.
1. On the **Configure secret** page, enter a name and description for your secret. We recommend that you use a prefix of **aws/transfer/** for the name. For example, you could name your secret **aws/transfer/connector-1**.
1. Choose **Next**, and then accept the defaults on the **Configure rotation** page. Then choose **Next**.
1. On the **Review** page, choose **Store** to create and store the secret.
# Create an SFTP connector with service-managed egress
This procedure explains how to create SFTP connectors by using the AWS Transfer Family console or AWS CLI.
------
#### [ Console ]
**To create an SFTP connector**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the left navigation pane, choose **SFTP Connectors**, then choose **Create SFTP connector**.
1. In the **Connector configuration** section, for **Egress type**, choose **Service managed**. This option uses AWS Transfer Family managed egress infrastructure. The Transfer Family service provides and manages static IP addresses for each SFTP connector.
1. In the **Connector configuration** section, provide the following information:
![\[The Transfer Family SFTP connector console, showing the Connector configuration settings.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-connector-example-config.png)
+ For the **URL**, enter the URL for a remote SFTP server. This URL must be formatted as `sftp://partner-SFTP-server-url`, for example `sftp://AnyCompany.com`.
**Note**
Optionally, you can provide a port number in your URL. The format is `sftp://partner-SFTP-server-url:port-number`. The default port number (when no port is specified) is port 22.
+ For the **Access role**, choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.
+ **Make sure that this role provides read and write access** to the parent directory of the file location that's used in the `StartFileTransfer` request.
+ **Make sure that this role provides permission** for `secretsmanager:GetSecretValue` to access the secret.
**Note**
In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.
```
arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters
```
+ **Make sure this role contains a trust relationship** that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see [To establish a trust relationship](requirements-roles.md#establish-trust-transfer).
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
},
{
"Sid": "GetConnectorSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:aws/transfer/SecretName-6RandomCharacters"
}
]
}
```
**Note**
For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with `aws/transfer`.
```
"Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*"
```
You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see [Permissions to AWS Secrets Manager secrets for users in a different account](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html).
1. Complete the connector configuration:
+ (Optional) For the **Logging role**, choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
}
]
}
```
1. In the **SFTP Configuration** section, provide the following information:
![\[The Transfer Family SFTP connector console, showing the SFTP configuration settings.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/create-connector-example-sftp-config.png)
+ For **Connector credentials**, from the dropdown list, choose the name of a secret in AWS Secrets Manager that contains the SFTP user's private key or password. You must create a secret and store it in a specific manner. For details, see [Store authentication credentials for SFTP connectors in Secrets Manager](sftp-connector-secret-procedure.md).
+ (Optional) You have an option to create your connector while leaving the `TrustedHostKeys` parameter empty. However, your connector will not be able to transfer files with the remote server until you provide this parameter in your connector’s configuration. You can enter the Trusted host key(s) at the time of creating your connector, or update your connector later by using the host key information returned by the `TestConnection` console action or API command. That is, for the **Trusted host keys** text box, you can do either of the following:
+ **Provide the Trusted Host Key(s) at the time of creating your connector.** Paste in the public portion of the host key that is used to identify the external server. You can add more than one key, by choosing **Add trusted host key** to add an additional key. You can use the `ssh-keyscan` command against the SFTP server to retrieve the necessary key. For details about the format and type of trusted host keys that Transfer Family supports, see [https://docs.aws.amazon.com//transfer/latest/APIReference/API_SftpConnectorConfig.html](https://docs.aws.amazon.com//transfer/latest/APIReference/API_SftpConnectorConfig.html).
+ *Leave the Trusted Host Key(s) text box empty when creating your connector and update your connector at a later time with this information.* If you do not have the host key information at the time of creating your connector, you can leave this parameter empty for now and proceed with creating your connector. After the connector is created, use the new connector's ID to run the `TestConnection` command, either in the AWS CLI or from the connector's detail page. If successful, `TestConnection` will return the necessary host key information. You can then edit your connector using the console (or by running the `UpdateConnector` AWS CLI command) and add the host key information that was returned when you ran `TestConnection`.
**Important**
If you retrieve the remote server's host key by running `TestConnection`, make sure that you perform out-of-band validation on the key that is returned.
You must accept the new key as trusted, or verify the presented fingerprint with a previously known fingerprint that you have received from the owner of the remote SFTP server you are connecting to.
+ (Optional) For **Maximum concurrent connections**, from the dropdown list, choose the number of concurrent connections that your connector creates to the remote server. The default selection on the console is **5**.
This setting specifies the number of active connections that your connector can establish with the remote server at the same time. Creating concurrent connections can enhance connector performance by enabling parallel operations.
1. In the **Cryptographic algorithm options** section, choose a **Security policy** from the dropdown list in the **Security Policy** field. The security policy enables you to select the cryptographic algorithms that your connector supports. For details on the available security policies and algorithms, see [Security policies for AWS Transfer Family SFTP connectors](security-policies-connectors.md).
1. (Optional) In the **Tags** section, for **Key** and **Value**, enter one or more tags as key-value pairs.
1. After you have confirmed all of your settings, choose **Create SFTP connector** to create the SFTP connector. If the connector is created successfully, a screen appears with a list of the assigned static IP addresses and a **Test connection** button. Use the button to test the configuration for your new connector.
![\[The connector creation screen that appears when an SFTP connector has been successfully created. It contains a button for testing the connection and a list of the service-managed static IP addresses of this connector.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/connector-success-ip.png)
The **Connectors** page appears, with the ID of your new SFTP connector added to the list. To view the details for your connectors, see [View SFTP connector details](manage-sftp-connectors.md#sftp-connectors-view-info).
------
#### [ CLI ]
You use the [https://docs.aws.amazon.com/transfer/latest/APIReference/API_CreateConnector.html](https://docs.aws.amazon.com/transfer/latest/APIReference/API_CreateConnector.html) command to create a connector. To use this command to create an SFTP connector, you must provide the following information.
+ The URL for a remote SFTP server. This URL must be formatted as `sftp://partner-SFTP-server-url`, for example `sftp://AnyCompany.com`.
+ The access role. Choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.
+ **Make sure that this role provides read and write access** to the parent directory of the file location that's used in the `StartFileTransfer` request.
+ **Make sure that this role provides permission** for `secretsmanager:GetSecretValue` to access the secret.
**Note**
In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.
```
arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters
```
+ **Make sure this role contains a trust relationship** that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see [To establish a trust relationship](requirements-roles.md#establish-trust-transfer).
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
},
{
"Sid": "GetConnectorSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:aws/transfer/SecretName-6RandomCharacters"
}
]
}
```
**Note**
For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with `aws/transfer`.
```
"Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*"
```
You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see [Permissions to AWS Secrets Manager secrets for users in a different account](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html).
+ (Optional) Choose the IAM role for the connector to use to push events to your CloudWatch logs. The following example policy lists the necessary permissions to log events for SFTP connectors.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
}
]
}
```
+ Provide the following SFTP configuration information.
+ The ARN of a secret in AWS Secrets Manager that contains the SFTP user's private key or password.
+ The public portion of the host key that is used to identify the external server. You can provide multiple trusted host keys if you like.
The easiest way to provide the SFTP information is to save it to a file. For example, copy the following example text to a file named `testSFTPConfig.json`.
```
// Listing for testSFTPConfig.json
{
"UserSecretId": "arn:aws::secretsmanager:us-east-2:123456789012:secret:aws/transfer/example-username-key",
"TrustedHostKeys": [
"sftp.example.com ssh-rsa AAAAbbbb...EEEE="
]
}
```
+ Specify a security policy for your connector, entering the security policy name.
**Note**
The `SecretId` can be either the entire ARN or the name of the secret (*example-username-key* in the previous listing).
Then run the following command to create the connector:
```
aws transfer create-connector --url "sftp://partner-SFTP-server-url" \
--access-role your-IAM-role-for-bucket-access \
--logging-role arn:aws:iam::your-account-id:role/service-role/AWSTransferLoggingAccess \
--sftp-config file:///path/to/testSFTPConfig.json \
--security-policy-name security-policy-name \
--maximum-concurrent-connections integer-from-1-to-5
```
When you describe a VPC egress type connector, the response includes the new fields:
```
{
"Connector": {
"AccessRole": "arn:aws:iam::123456789012:role/connector-role",
"Arn": "arn:aws:transfer:us-east-1:123456789012:connector/c-1234567890abcdef0",
"ConnectorId": "c-1234567890abcdef0",
"Status": "ACTIVE",
"EgressConfig": {
"VpcLattice": {
"ResourceConfigurationArn": "arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-12345678",
"PortNumber": 22
}
},
"EgressType": "VPC",
"ServiceManagedEgressIpAddresses": null,
"SftpConfig": {
"TrustedHostKeys": [ "ssh-rsa AAAAB3NzaC..." ],
"UserSecretId": "aws/transfer/connector-secret"
},
"Url": "sftp://my.sftp.server.com:22"
}
}
```
Note that `ServiceManagedEgressIpAddresses` is null for VPC egress type connectors since traffic routes through your VPC instead of AWS managed infrastructure.
------
# Create an SFTP connector with VPC-based egress
This topic provides step-by-step instructions for creating SFTP connectors with VPC connectivity. VPC\$1LATTICE-enabled connectors use Amazon VPC Lattice to route traffic through your Virtual Private Cloud, enabling secure connections to private endpoints or using your own NAT gateways for internet access.
**When to use VPC connectivity**
Use VPC connectivity for SFTP connectors in these scenarios:
+ **Private SFTP servers**: Connect to SFTP servers that are only accessible from your VPC.
+ **On-premises connectivity**: Connect to on-premises SFTP servers through AWS Direct Connect or AWS Site-to-Site VPN connections.
+ **Custom IP addresses**: Use your own NAT gateways and Elastic IP addresses, including BYOIP scenarios.
+ **Centralized security controls**: Route file transfers through your organization's central ingress/egress controls.
![\[Architecture diagram showing VPC-based egress for SFTP connectors, illustrating how Cross-VPC Resource Access enables secure connections through your Virtual Private Cloud.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/vpc-egress-diagram.png)
## Prerequisites for VPC\$1LATTICE-enabled SFTP connectors
Before creating a VPC\$1LATTICE-enabled SFTP connector, you must complete the following prerequisites:
**How VPC-based connectivity works**
VPC Lattice enables you to securely share VPC resources with other AWS services. AWS Transfer Family uses a service network to simplify the resource sharing process. The key components are:
+ **Resource Gateway**: Serves as the point of access into your VPC. You create this in your VPC with a minimum of two Availability Zones.
+ **Resource Configuration**: Contains the private IP address or public DNS name of the SFTP server you want to connect to.
When you create a VPC\$1LATTICE-enabled connector, AWS Transfer Family uses Forward Access Session (FAS) to temporarily obtain your credentials and associate your Resource Configuration with our service network.
**Required setup steps**
1. **VPC infrastructure**: Ensure you have a properly configured VPC with the necessary subnets, route tables, and security groups for your SFTP server connectivity requirements.
1. **Resource Gateway**: Create a Resource Gateway in your VPC using the VPC Lattice `create-resource-gateway` command. The Resource Gateway must be associated with subnets in at least two Availability Zones. For more information, see [Resource gateways](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-gateway.html) in the *Amazon VPC Lattice User Guide*.
1. **Resource Configuration**: Create a Resource Configuration that represents the target SFTP server using the VPC Lattice `create-resource-configuration` command. You can specify either:
+ A private IP address for private endpoints
+ A public DNS name for public endpoints (IP addresses are not supported for public endpoints)
1. **Authentication credentials**: Store the SFTP user credentials in AWS Secrets Manager as described in [Store authentication credentials for SFTP connectors in Secrets Manager](sftp-connector-secret-procedure.md).
**Important**
The Resource Gateway and Resource Configuration must be created in the same AWS account. When creating a Resource Configuration, you must first have a Resource Gateway in place.
For more information on VPC resource configurations, see [Resource configurations](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html) in the *Amazon VPC Lattice User Guide*.
**Note**
VPC connectivity for SFTP connectors is available in AWS Regions where Amazon VPC Lattice resources are available. For more information, see [VPC Lattice FAQs](https://aws.amazon.com/vpc/lattice/faqs/#topic-0). Availability Zone support varies by region, and Resource Gateways require a minimum of two Availability Zones.
## Create a VPC\$1LATTICE-enabled SFTP connector
After completing the prerequisites, you can create an SFTP connector with VPC connectivity using the AWS CLI, AWS Management Console, or AWS SDKs.
------
#### [ Console ]
**To create a VPC\$1LATTICE-enabled SFTP connector**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the left navigation pane, choose **SFTP Connectors**, then choose **Create SFTP connector**.
1. In the **Connector configuration** section, for **Egress type**, choose **VPC Lattice**.
This option routes traffic through your VPC using Amazon VPC Lattice for cross-VPC resource access. You can use this option to connect to privately hosted server endpoints, route traffic through your VPC's security controls, or use your own NAT gateways and Elastic IP addresses. The address of the remote SFTP server is represented as a Resource Configuration in your VPC. For more information about Resource Configurations, see [Resource configurations for VPC resources](https://docs.aws.amazon.com/vpc-lattice/latest/ug/resource-configuration.html) in the Amazon VPC Lattice User Guide.
1. Complete the connector configuration:
+ For the **Access role**, choose the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to use.
+ **Make sure that this role provides read and write access** to the parent directory of the file location that's used in the `StartFileTransfer` request.
+ **Make sure that this role provides permission** for `secretsmanager:GetSecretValue` to access the secret.
**Note**
In the policy, you must specify the ARN for the secret. The ARN contains the secret name, but appends the name with six, random, alphanumeric characters. An ARN for a secret has the following format.
```
arn:aws:secretsmanager:region:account-id:secret:aws/transfer/SecretName-6RandomCharacters
```
+ **Make sure this role contains a trust relationship** that allows the connector to access your resources when servicing your users' transfer requests. For details on establishing a trust relationship, see [To establish a trust relationship](requirements-roles.md#establish-trust-transfer).
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObjectACL",
"s3:PutObjectACL"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
},
{
"Sid": "GetConnectorSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-west-2:111122223333:secret:aws/transfer/SecretName-6RandomCharacters"
}
]
}
```
**Note**
For the access role, the example grants access to a single secret. However, you can use a wildcard character, which can save work if you want to reuse the same IAM role for multiple users and secrets. For example, the following resource statement grants permissions for all secrets that have names beginning with `aws/transfer`.
```
"Resource": "arn:aws:secretsmanager:region:account-id:secret:aws/transfer/*"
```
You can also store secrets containing your SFTP credentials in another AWS account. For details on enabling cross-account secret access, see [Permissions to AWS Secrets Manager secrets for users in a different account](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples_cross.html).
+ For **Resource Configuration ARN**, enter the ARN of the VPC Lattice Resource Configuration that points to your SFTP server:
```
arn:aws:vpc-lattice:region:account-id:resourceconfiguration/rcfg-12345678
```
+ (Optional) For the **Logging role**, choose the IAM role for the connector to use to push events to your CloudWatch logs.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/transfer/*"
}
]
}
```
1. In the **SFTP Configuration** section, provide the following information:
+ For **Connector credentials**, choose the name of a secret in AWS Secrets Manager that contains the SFTP user's private key or password.
+ For **Trusted host keys**, paste in the public portion of the host key that is used to identify the external server, or leave empty to configure later using the `TestConnection` command.
Since this host key is for a VPC\$1LATTICE connector, remove the host name in the key
+ (Optional) For **Maximum concurrent connections**, choose the number of concurrent connections that your connector creates to the remote server (default is 5).
1. In the **Cryptographic algorithm options** section, choose a **Security policy** from the dropdown list.
1. (Optional) In the **Tags** section, add tags as key-value pairs.
1. Choose **Create SFTP connector** to create the VPC\$1LATTICE-enabled SFTP connector.
The connector will be created with a status of `PENDING` while the resource association is being provisioned, which typically takes several minutes. Once the status changes to `ACTIVE`, the connector is ready for use.
------
#### [ CLI ]
Use the following command to create a VPC\$1LATTICE-enabled SFTP connector:
```
aws transfer create-connector \
--url "sftp://my.sftp.server.com:22" \
--access-role arn:aws:iam::123456789012:role/TransferConnectorRole \
--sftp-config UserSecretId=my-secret-id,TrustedHostKeys="ssh-rsa AAAAB3NzaC..." \
--egress-config VpcLattice={ResourceConfigurationArn=arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-1234567890abcdef0} \
--security-policy-name TransferSecurityPolicy-2024-01
```
The key parameter for VPC connectivity is `--egress-config`, which specifies the Resource Configuration ARN that defines your SFTP server target.
------
## Monitoring VPC connector status
VPC\$1LATTICE-enabled connectors have an asynchronous setup process. After creation, monitor the connector status:
+ **PENDING**: The connector is being provisioned. Service network provisioning is in progress, which typically takes several minutes.
+ **ACTIVE**: The connector is ready for use and can transfer files.
+ **ERRORED**: The connector failed to provision. Check the error details for troubleshooting information.
Check the connector status using the `describe-connector` command:
```
aws transfer describe-connector --connector-id c-1234567890abcdef0
```
During the PENDING state, the `test-connection` API will return "Connector not available" until provisioning is complete.
## Limitations and considerations
+ **Public endpoints**: When connecting to public endpoints through VPC, you must provide a DNS name in the Resource Configuration. Public IP addresses are not supported.
+ **Regional availability**: VPC connectivity is available in select AWS Regions. Cross-region resource sharing is not supported.
+ **Availability Zone requirements**: Resource Gateways must be associated with subnets in at least two Availability Zones. Not all Availability Zones support VPC Lattice in every region.
+ **Connection limits**: Maximum of 350 connections per resource with a 350-second idle timeout for TCP connections.
## Cost considerations
There are no additional charges from AWS Transfer Family beyond regular service charges. However, customers may be subject to additional charges from Amazon VPC Lattice associated with sharing their Amazon Virtual Private Cloud resources, and NAT gateway charges if they use their own NAT gateways for egress to internet.
For complete AWS Transfer Family pricing information, see the [AWS Transfer Family pricing page](https://aws.amazon.com/aws-transfer-family/pricing/).
## VPC connectivity examples for SFTP connectors
VPC connectivity examples
This section provides examples of creating SFTP connectors with VPC connectivity for various scenarios. Before using these examples, ensure you have completed the VPC infrastructure setup as described in the VPC connectivity documentation.
### Example: Private endpoint connection
This example shows how to create an SFTP connector that connects to a private SFTP server accessible only from your VPC.
**Prerequisites**
1. Create a Resource Gateway in your VPC:
```
aws vpc-lattice create-resource-gateway \
--name my-private-server-gateway \
--vpc-identifier vpc-1234567890abcdef0 \
--subnet-ids subnet-1234567890abcdef0 subnet-0987654321fedcba0
```
1. Create a Resource Configuration for your private SFTP server:
```
aws vpc-lattice create-resource-configuration \
--name my-private-server-config \
--resource-gateway-identifier rgw-1234567890abcdef0 \
--resource-configuration-definition ipResource={ipAddress="10.0.1.100"} \
--port-ranges 22
```
**Create the VPC\$1LATTICE-enabled connector**
1. Create the SFTP connector with VPC connectivity:
```
aws transfer create-connector \
--access-role arn:aws:iam::123456789012:role/TransferConnectorRole \
--sftp-config UserSecretId=my-private-server-credentials,TrustedHostKeys="ssh-rsa AAAAB3NzaC..." \
--egress-config VpcLattice={ResourceConfigurationArn=arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-1234567890abcdef0,PortNumber=22}
```
1. Monitor the connector status until it becomes `ACTIVE`:
```
aws transfer describe-connector --connector-id c-1234567890abcdef0
```
The remote SFTP server will see connections coming from the Resource Gateway's IP address within your VPC CIDR range.
### Example: Public endpoint via VPC
This example shows how to route connections to a public SFTP server through your VPC to leverage centralized security controls and use your own NAT Gateway IP addresses.
**Prerequisites**
1. Create a Resource Gateway in your VPC (same as private endpoint example).
1. Create a Resource Configuration for the public SFTP server using its DNS name:
```
aws vpc-lattice create-resource-configuration \
--name my-public-server-config \
--resource-gateway-identifier rgw-1234567890abcdef0 \
--resource-configuration-definition dnsResource={domainName="sftp.example.com"} \
--port-ranges 22
```
**Note**
For public endpoints, you must use a DNS name, not an IP address.
**Create the connector**
+ Create the SFTP connector:
```
aws transfer create-connector \
--access-role arn:aws:iam::123456789012:role/TransferConnectorRole \
--sftp-config UserSecretId=my-public-server-credentials,TrustedHostKeys="ssh-rsa AAAAB3NzaC..." \
--egress-config VpcLattice={ResourceConfigurationArn=arn:aws:vpc-lattice:us-east-1:123456789012:resourceconfiguration/rcfg-0987654321fedcba0,PortNumber=22}
```
Traffic will flow from the connector to your Resource Gateway, then through your NAT Gateway to reach the public SFTP server. The remote server will see your NAT Gateway's Elastic IP address as the source.
### Example: Cross-account private endpoint
This example shows how to connect to a private SFTP server in a different AWS account by using resource sharing.
**Note**
If you already have cross-VPC resource sharing enabled through other mechanisms, such as AWS Transit Gateway, you don't need to configure the resource sharing described here. The existing routing mechanisms, such as Transit Gateway route tables, are automatically used by SFTP connectors. You only need to create a Resource Configuration in the same account where you're creating the SFTP connector.
**Account A (Resource Provider) - Share the Resource Configuration**
1. Create Resource Gateway and Resource Configuration in Account A (same as previous examples).
1. Share the Resource Configuration with Account B using AWS Resource Access Manager:
```
aws ram create-resource-share \
--name cross-account-sftp-share \
--resource-arns arn:aws:vpc-lattice:us-east-1:111111111111:resourceconfiguration/rcfg-1234567890abcdef0 \
--principals 222222222222
```
**Account B (Resource Consumer) - Accept and Use the Share**
1. Accept the resource share invitation:
```
aws ram accept-resource-share-invitation \
--resource-share-invitation-arn arn:aws:ram:us-east-1:111111111111:resource-share-invitation/invitation-id
```
1. Create the SFTP connector in Account B:
```
aws transfer create-connector \
--access-role arn:aws:iam::222222222222:role/TransferConnectorRole \
--sftp-config UserSecretId=cross-account-server-credentials,TrustedHostKeys="ssh-rsa AAAAB3NzaC..." \
--egress-config VpcLattice={ResourceConfigurationArn=arn:aws:vpc-lattice:us-east-1:111111111111:resourceconfiguration/rcfg-1234567890abcdef0,PortNumber=22}
```
The connector in Account B can now access the private SFTP server in Account A through the shared Resource Configuration.
### Common troubleshooting scenarios
Here are solutions for common issues when creating VPC\$1LATTICE-enabled connectors:
+ **Connector stuck in PENDING status**: Check that your Resource Gateway is ACTIVE and has subnets in supported Availability Zones. If the connector is still stuck with a status of PENDING, call `UpdateConnector` using the same configuration parameters that you used initially. This triggers a new status event that might resolve the problem.
+ **Connection timeouts**: Verify security group rules allow traffic on port 22 and that your VPC routing is correct.
+ **DNS resolution issues**: For public endpoints, ensure your VPC has internet connectivity through a NAT Gateway or Internet Gateway.
+ **Cross-account access denied**: Verify the resource share is accepted and the Resource Configuration ARN is correct. If the proper permission policy is attached to the resource configuration when the origin account creates the resource share, these permissions are required:`vpc-lattice:AssociateViaAWSService`, `vpc-lattice:AssociateViaAWSService-EventsAndStates`, `vpc-lattice:CreateServiceNetworkResourceAssociation`, `vpc-lattice:GetResourceConfiguration`.
# Test an SFTP connector
After you create an SFTP connector, we recommend that you test it before you attempt to transfer any files using your new connector.
**To test an SFTP connector**
1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).
1. In the left navigation pane, choose **SFTP Connectors**, and select a connector.
1. From the **Actions** menu, choose **Test connection**.
![\[The Transfer Family console, showing an SFTP connector selected, and the Test connectionTest connection action highlighted.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/connector-test-choose.png)
The system returns a message, indicating whether the test passes or fails. If the test fails, the system provides an error message based on the reason the test failed.
![\[The SFTP connector test connection panel, showing a successful test.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/connector-test-success.png)
![\[The SFTP connector test connection panel, showing a failed test: the error message indicates that the access role for the connector is incorrect.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/connector-test-fail-role.png)
**Note**
To use the API to test your connector, see the [https://docs.aws.amazon.com/transfer/latest/APIReference/API_TestConnection](https://docs.aws.amazon.com/transfer/latest/APIReference/API_TestConnection) API documentation.