From ff5b71b48b49469c148ea260b9d8e7e4945fc042 Mon Sep 17 00:00:00 2001 From: AWS <> Date: Wed, 9 Jun 2021 18:16:50 +0000 Subject: [PATCH] AWS Transfer Family Update: Documentation updates for the AWS Transfer Family service. --- .../feature-AWSTransferFamily-4be4e07.json | 6 ++ .../codegen-resources/service-2.json | 78 +++++++++---------- 2 files changed, 45 insertions(+), 39 deletions(-) create mode 100644 .changes/next-release/feature-AWSTransferFamily-4be4e07.json diff --git a/.changes/next-release/feature-AWSTransferFamily-4be4e07.json b/.changes/next-release/feature-AWSTransferFamily-4be4e07.json new file mode 100644 index 000000000000..be8a70139155 --- /dev/null +++ b/.changes/next-release/feature-AWSTransferFamily-4be4e07.json @@ -0,0 +1,6 @@ +{ + "type": "feature", + "category": "AWS Transfer Family", + "contributor": "", + "description": "Documentation updates for the AWS Transfer Family service." +} diff --git a/services/transfer/src/main/resources/codegen-resources/service-2.json b/services/transfer/src/main/resources/codegen-resources/service-2.json index a065d1dcb4d8..5e6cd984eb7b 100644 --- a/services/transfer/src/main/resources/codegen-resources/service-2.json +++ b/services/transfer/src/main/resources/codegen-resources/service-2.json @@ -469,24 +469,24 @@ "members":{ "HomeDirectory":{ "shape":"HomeDirectory", - "documentation":"
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /directory_name/home/mydirectory
.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it LOGICAL
, you must provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry
and Target
pair, where Entry
shows how the path is made visible and Target
is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it will be displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in Target
. This value can only be set when HomeDirectoryType
is set to LOGICAL.
The following is an Entry
and Target
pair example.
[ { \"Entry\": \"your-personal-report.pdf\", \"Target\": \"/bucket3/customized-reports/${transfer:UserName}.pdf\" } ]
In most cases, you can use this value instead of the scope-down policy to lock down your user to the designated home directory (\"chroot
\"). To do this, you can set Entry
to /
and set Target
to the HomeDirectory
parameter value.
The following is an Entry
and Target
pair example for chroot
.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
If the target of a logical directory entry does not exist in Amazon S3 or Amazon EFS, the entry will be ignored. As a workaround, you can use the Amazon S3 API or EFS API to create 0-byte objects as place holders for your directory. If using the AWS CLI, use the s3api
or efsapi
call instead of s3
or efs
so you can use the put-object
operation. For example, you can use the following.
aws s3api put-object --bucket bucketname --key path/to/folder/
The end of the key name must end in a /
for it to be considered a folder.
Required: No
" + "documentation":"Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry
and Target
pair, where Entry
shows how the path is made visible and Target
is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it will be displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in Target
. This value can only be set when HomeDirectoryType
is set to LOGICAL.
The following is an Entry
and Target
pair example.
[ { \"Entry\": \"your-personal-report.pdf\", \"Target\": \"/bucket3/customized-reports/${transfer:UserName}.pdf\" } ]
In most cases, you can use this value instead of the scope-down policy to lock down your user to the designated home directory (\"chroot
\"). To do this, you can set Entry
to /
and set Target
to the HomeDirectory
parameter value.
The following is an Entry
and Target
pair example for chroot
.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
If the target of a logical directory entry does not exist in Amazon S3 or Amazon EFS, the entry will be ignored. As a workaround, you can use the Amazon S3 API or EFS API to create 0-byte objects as place holders for your directory. If using the AWS CLI, use the s3api
or efsapi
call instead of s3
or efs
so you can use the put-object
operation. For example, you can use the following.
aws s3api put-object --bucket bucketname --key path/to/folder/
The end of the key name must end in a /
for it to be considered a folder.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId
is S3. Amazon EFS does not use scope down policy.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId
is S3. Amazon EFS does not use scope-down policies.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
Specifies the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -494,7 +494,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamaccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -532,7 +532,7 @@ }, "EndpointType":{ "shape":"EndpointType", - "documentation":"The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.
After March 31, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before March 31, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before March 31, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
It is recommended that you use VPC
as the EndpointType
. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType
set to VPC_ENDPOINT
.
The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.
After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before May 19, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
It is recommended that you use VPC
as the EndpointType
. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType
set to VPC_ENDPOINT
.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
A scope-down policy for your user so you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId is S3. EFS does not use scope down policy.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId is S3. EFS does not use scope down policy.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
Specifies the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -655,7 +655,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamaccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -721,7 +721,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamaccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -821,7 +821,7 @@ "members":{ "HomeDirectory":{ "shape":"HomeDirectory", - "documentation":"Specifies the landing directory (or folder), which is the location that files are written to or read from in an Amazon S3 bucket, for the described access.
" + "documentation":"The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it to LOGICAL
, you must provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
A scope-down policy for your user so that you can use the same AWS Identity and Access Management (IAM) role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
The IAM role that controls access to your Amazon S3 bucket from the specified associated access. The policies attached to this role will determine the level of access that you want to provide the associated access when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows a server to access your resources when servicing transfer requests for the associated access.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that might be required when you assume a role in another account. Think of the ExternalID
as a group membership mechanism that uses a unique identifier (often a SID, but could be a group name or something else) as a basis. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId
parameter. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "documentation":"Describes the properties of the access that was specified.
" @@ -955,7 +955,7 @@ }, "HomeDirectory":{ "shape":"HomeDirectory", - "documentation":"Specifies the landing directory (or folder), which is the location that files are written to or read from in an Amazon S3 bucket, for the described user. An example is your-Amazon-S3-bucket-name>/home/username
.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
Specifies the type of landing directory (folder) you mapped for your users to see when they log into the file transfer protocol-enabled server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
Specifies the name of the policy in use for the described user.
" + "documentation":"A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
The IAM role that controls your users' access to your Amazon S3 bucket. The policies attached to this role will determine the level of access you want to provide your users when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows a server to access your resources when servicing your users' transfer requests.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "SshPublicKeys":{ "shape":"SshPublicKeys", @@ -1029,7 +1029,7 @@ "documentation":"A list of security groups IDs that are available to attach to your server's endpoint.
This property can only be set when EndpointType
is set to VPC
.
You can edit the SecurityGroupIds
property in the UpdateServer API only if you are changing the EndpointType
from PUBLIC
or VPC_ENDPOINT
to VPC
. To change security groups associated with your server's VPC endpoint after creation, use the Amazon EC2 ModifyVpcEndpoint API.
The virtual private cloud (VPC) endpoint settings that are configured for your file transfer protocol-enabled server. With a VPC endpoint, you can restrict access to your server and resources only within your VPC. To control incoming internet traffic, invoke the UpdateServer
API and attach an Elastic IP address to your server's endpoint.
After March 31, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before March 31, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before March 31, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
The virtual private cloud (VPC) endpoint settings that are configured for your file transfer protocol-enabled server. With a VPC endpoint, you can restrict access to your server and resources only within your VPC. To control incoming internet traffic, invoke the UpdateServer
API and attach an Elastic IP address to your server's endpoint.
After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before May 19, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
Specifies the landing directory (or folder), which is the location that files are written to or read from in an Amazon S3 bucket, for the described access.
" + "documentation":"The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it to LOGICAL
, you must provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
The AWS Identity and Access Management (IAM) role that controls access to your Amazon S3 bucket from the specified associated access. The policies attached to this role will determine the level of access that you want to provide the associated access when transferring files into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship that allows a server to access your resources when servicing transfer requests for the associated access.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that might be required when you assume a role in another account. Think of the ExternalID
as a group membership mechanism that uses a unique identifier (often a SID, but could be a group name or something else) as a basis. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId
parameter. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "documentation":"Lists the properties for one or more specified associated accesses.
" @@ -1434,15 +1434,15 @@ }, "HomeDirectory":{ "shape":"HomeDirectory", - "documentation":"Specifies the location that files are written to or read from an Amazon S3 bucket for the user you specify by their ARN.
" + "documentation":"The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
Specifies the type of landing directory (folder) you mapped for your users' home directory. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
Specifies the role that is in use by this user. A role is an AWS Identity and Access Management (IAM) entity that, in this case, allows a file transfer protocol-enabled server to act on a user's behalf. It allows the server to inherit the trust relationship that enables that user to perform file operations to their Amazon S3 bucket.
The IAM role that controls your users' access to your Amazon S3 bucket for servers with Domain=S3
, or your EFS file system for servers with Domain=EFS
.
The policies attached to this role determine the level of access you want to provide your users when transferring files into and out of your S3 buckets or EFS file systems.
Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
The IAM role that controls your users' access to your Amazon S3 bucket for servers with Domain=S3
, or your EFS file system for servers with Domain=EFS
.
The policies attached to this role determine the level of access you want to provide your users when transferring files into and out of your S3 buckets or EFS file systems.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /directory_name/home/mydirectory
.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
The type of landing directory (folder) that you want your users' home directory to be when they log in to the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocol clients. If you set it LOGICAL
, you must provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 paths visible to your users.
The type of landing directory (folder) you want your users' home directory to be when they log into the server. If you set it to PATH
, the user will see the absolute Amazon S3 bucket or EFS paths as is in their file transfer protocol clients. If you set it LOGICAL
, you will need to provide mappings in the HomeDirectoryMappings
for how you want to make Amazon S3 or EFS paths visible to your users.
Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry
and Target
pair, where Entry
shows how the path is made visible and Target
is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it will be displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in Target
. This value can only be set when HomeDirectoryType
is set to LOGICAL.
The following is an Entry
and Target
pair example.
[ { \"Entry\": \"your-personal-report.pdf\", \"Target\": \"/bucket3/customized-reports/${transfer:UserName}.pdf\" } ]
In most cases, you can use this value instead of the scope-down policy to lock down your user to the designated home directory (\"chroot
\"). To do this, you can set Entry
to /
and set Target
to the HomeDirectory
parameter value.
The following is an Entry
and Target
pair example for chroot
.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
If the target of a logical directory entry does not exist in Amazon S3 or Amazon EFS, the entry will be ignored. As a workaround, you can use the Amazon S3 API or EFS API to create 0-byte objects as place holders for your directory. If using the AWS CLI, use the s3api
or efsapi
call instead of s3
or efs
so you can use the put-object
operation. For example, you can use the following.
aws s3api put-object --bucket bucketname --key path/to/folder/
The end of the key name must end in a /
for it to be considered a folder.
Required: No
" + "documentation":"Logical directory mappings that specify what Amazon S3 or Amazon EFS paths and keys should be visible to your user and how you want to make them visible. You must specify the Entry
and Target
pair, where Entry
shows how the path is made visible and Target
is the actual Amazon S3 or Amazon EFS path. If you only specify a target, it will be displayed as is. You also must ensure that your AWS Identity and Access Management (IAM) role provides access to paths in Target
. This value can only be set when HomeDirectoryType
is set to LOGICAL.
The following is an Entry
and Target
pair example.
[ { \"Entry\": \"your-personal-report.pdf\", \"Target\": \"/bucket3/customized-reports/${transfer:UserName}.pdf\" } ]
In most cases, you can use this value instead of the scope-down policy to lock down your user to the designated home directory (\"chroot
\"). To do this, you can set Entry
to /
and set Target
to the HomeDirectory
parameter value.
The following is an Entry
and Target
pair example for chroot
.
[ { \"Entry\": \"/\", \"Target\": \"/bucket_name/home/mydirectory\" } ]
If the target of a logical directory entry does not exist in Amazon S3 or Amazon EFS, the entry will be ignored. As a workaround, you can use the Amazon S3 API or EFS API to create 0-byte objects as place holders for your directory. If using the AWS CLI, use the s3api
or efsapi
call instead of s3
or efs
so you can use the put-object
operation. For example, you can use the following.
aws s3api put-object --bucket bucketname --key path/to/folder/
The end of the key name must end in a /
for it to be considered a folder.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId
is S3. Amazon EFS does not use scope down policy.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId
is S3. Amazon EFS does not use scope down policy.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Example scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
Specifies the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId", @@ -1871,7 +1871,7 @@ }, "ExternalId":{ "shape":"ExternalId", - "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamaccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that is required to identify specific groups within your directory. The users of the group that you associate have access to your Amazon S3 or Amazon EFS resources over the enabled protocols using AWS Transfer Family. If you know the group name, you can view the SID values by running the following command using Windows PowerShell.
Get-ADGroup -Filter {samAccountName -like \"YourGroupName*\"} -Properties * | Select SamAccountName,ObjectSid
In that command, replace YourGroupName with the name of your Active Directory group.
The regex used to validate this parameter is a string of characters consisting of uppercase and lowercase alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } } }, @@ -1906,7 +1906,7 @@ }, "EndpointType":{ "shape":"EndpointType", - "documentation":"The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.
After March 31, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before March 31, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before March 31, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
It is recommended that you use VPC
as the EndpointType
. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType
set to VPC_ENDPOINT
.
The type of endpoint that you want your server to use. You can choose to make your server's endpoint publicly accessible (PUBLIC) or host it inside your VPC. With an endpoint that is hosted in a VPC, you can restrict access to your server and resources only within your VPC or choose to make it internet facing by attaching Elastic IP addresses directly to it.
After May 19, 2021, you won't be able to create a server using EndpointType=VPC_ENDPOINT
in your AWS account if your account hasn't already done so before May 19, 2021. If you have already created servers with EndpointType=VPC_ENDPOINT
in your AWS account on or before May 19, 2021, you will not be affected. After this date, use EndpointType
=VPC
.
For more information, see https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html#deprecate-vpc-endpoint.
It is recommended that you use VPC
as the EndpointType
. With this endpoint type, you have the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) with your server's endpoint and use VPC security groups to restrict traffic by the client's public IP address. This is not possible with EndpointType
set to VPC_ENDPOINT
.
Specifies the landing directory (folder) for a user when they log in to the server using their file transfer protocol client.
An example is your-Amazon-S3-bucket-name>/home/username
.
The landing directory (folder) for a user when they log in to the server using the client.
A HomeDirectory
example is /bucket_name/home/mydirectory
.
Allows you to supply a scope-down policy for your user so you can use the same IAM role across multiple users. The policy scopes down user access to portions of your Amazon S3 bucket. Variables you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Creating a scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
A scope-down policy for your user so that you can use the same IAM role across multiple users. This policy scopes down user access to portions of their Amazon S3 bucket. Variables that you can use inside this policy include ${Transfer:UserName}
, ${Transfer:HomeDirectory}
, and ${Transfer:HomeBucket}
.
This only applies when domain of ServerId
is S3. Amazon EFS does not use scope-down policies.
For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead of the Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob and pass it in the Policy
argument.
For an example of a scope-down policy, see Creating a scope-down policy.
For more information, see AssumeRole in the AWS Security Token Service API Reference.
The IAM role that controls your users' access to your Amazon S3 bucket. The policies attached to this role determine the level of access you want to provide your users when transferring files into and out of your S3 bucket or buckets. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" + "documentation":"Specifies the Amazon Resource Name (ARN) of the IAM role that controls your users' access to your Amazon S3 bucket or EFS file system. The policies attached to this role determine the level of access that you want to provide your users when transferring files into and out of your Amazon S3 bucket or EFS file system. The IAM role should also contain a trust relationship that allows the server to access your resources when servicing your users' transfer requests.
" }, "ServerId":{ "shape":"ServerId",