AWS 轉移至 SFTP使用者指南

AWS 轉移至 SFTP 使用者指南

AWS 轉移至 SFTP: 使用者指南Copyright © 2020 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's,in any manner that is likely to cause confusion among customers, or in any manner that disparages or discreditsAmazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may notbe affiliated with, connected to, or sponsored by Amazon.

AWS 轉移至 SFTP 使用者指南

Table of Contents什麼是 AWS 轉移至 SFTP？ ................................................................................................................ 1AWS 轉移至 SFTP 運作方式 ................................................................................................................ 2設定 .................................................................................................................................................. 3

AWS 註冊 ................................................................................................................................. 3S3 需求 ..................................................................................................................................... 3IAM 政策和角色 .......................................................................................................................... 3

入門 .................................................................................................................................................. 7登入 .......................................................................................................................................... 7建立 SFTP 伺服器 ...................................................................................................................... 7新增使用者 ............................................................................................................................... 10使用 AWS SFTP 傳輸檔案 ......................................................................................................... 12

使用 OpenSSH ................................................................................................................. 13使用 WinSCP ................................................................................................................... 13使用 Cyberduck ................................................................................................................ 15使用 FileZilla .................................................................................................................... 16

編輯伺服器 ....................................................................................................................................... 17尋找伺服器資訊 ......................................................................................................................... 17使伺服器上線或離線 .................................................................................................................. 18自訂主機名稱 ............................................................................................................................ 19

使用 Route 53 .................................................................................................................. 19使用替代 DNS 提供者 ........................................................................................................ 19

設定您的伺服器 ......................................................................................................................... 20編輯使用者 ....................................................................................................................................... 21

建立 IAM 政策 .......................................................................................................................... 22建立 S3 儲存貯體存取政策 ................................................................................................. 23建立縮小範圍政策 .............................................................................................................. 23

使用身分供應商 ................................................................................................................................. 25自訂身分供應商 ......................................................................................................................... 25

監控用量 .......................................................................................................................................... 28啟用 CloudTrail 記錄日誌 ........................................................................................................... 28記錄活動 .................................................................................................................................. 28

管理安全 .......................................................................................................................................... 30產生 SSH 金鑰 ......................................................................................................................... 30

在 Windows 上建立 SSH 金鑰 ............................................................................................ 31輪換 SSH 金鑰 ......................................................................................................................... 31加密您的資料 ............................................................................................................................ 32使用 AWS CloudTrail 記錄 API 呼叫 ............................................................................................ 33

CloudTrail 中的 AWS Transfer for SFTP 資訊 ........................................................................ 33了解 AWS Transfer for SFTP 日誌檔項目 ............................................................................. 34

API 參考 .......................................................................................................................................... 35歡迎 ........................................................................................................................................ 35Actions .................................................................................................................................... 36

CreateServer .................................................................................................................... 38CreateUser ...................................................................................................................... 44DeleteServer .................................................................................................................... 50DeleteSshPublicKey .......................................................................................................... 52DeleteUser ....................................................................................................................... 55DescribeSecurityPolicy ....................................................................................................... 57DescribeServer ................................................................................................................. 59DescribeUser .................................................................................................................... 62ImportSshPublicKey .......................................................................................................... 66ListSecurityPolicies ............................................................................................................ 70ListServers ....................................................................................................................... 72ListTagsForResource ......................................................................................................... 75

iii

AWS 轉移至 SFTP 使用者指南

ListUsers ......................................................................................................................... 78StartServer ....................................................................................................................... 82StopServer ....................................................................................................................... 84TagResource .................................................................................................................... 86TestIdentityProvider ........................................................................................................... 89UntagResource ................................................................................................................. 93UpdateServer ................................................................................................................... 95UpdateUser .................................................................................................................... 100

Data Types ............................................................................................................................ 104DescribedSecurityPolicy ................................................................................................... 105DescribedServer .............................................................................................................. 107DescribedUser ................................................................................................................ 110EndpointDetails ............................................................................................................... 113HomeDirectoryMapEntry ................................................................................................... 115IdentityProviderDetails ...................................................................................................... 116ListedServer ................................................................................................................... 117ListedUser ...................................................................................................................... 119SshPublicKey ................................................................................................................. 121Tag ............................................................................................................................... 122

Common Parameters ............................................................................................................... 122Common Errors ...................................................................................................................... 124

文件歷史記錄 .................................................................................................................................. 126AWS glossary ................................................................................................................................. 127

iv

AWS 轉移至 SFTP 使用者指南

什麼是 AWS 轉移至 SFTP？AWS 轉移至 SFTP (AWS SFTP) 是一種完全受管的 AWS 服務，可讓您透過安全檔案傳輸通訊協定(SFTP)，將檔案傳入或傳出 Amazon Simple Storage Service (Amazon S3) 儲存體。SFTP 也稱為 SecureShell (SSH) 檔案傳輸通訊協定。SFTP 已應用在不同業界間的資料交換工作流程，例如金融服務、健保、廣告、零售等。

AWS SFTP 的常用案例如下：

• AWS 中的資料湖，用於來自第三方 (例如開發廠商和合作夥伴) 的上傳。• 針對您客戶的訂閱類型資料分發。• 您組織的內部傳輸。

使用 AWS SFTP，您可以存取 AWS 中的 SFTP 伺服器，而無須執行任何伺服器基礎設施。您可以使用此服務來將您的 SFTP 類型工作流程遷移至 AWS，同時將您最終使用者的用戶端及組態維持不變。您可以先將主機名稱與 SFTP 伺服器端點建立關聯，然後新增您的使用者，並使用正確的存取層級佈建他們。在您執行此作業後，您使用者的傳輸請求便會直接由您的 AWS SFTP 伺服器端點處理。

AWS SFTP 具有以下優點：

• 完全受管的服務，可即時擴展以符合您的需求。• 您不需要修改應用程式或執行任何 SFTP 基礎設施。• 將您的資料存放在耐用的 Amazon S3 儲存體中，您可以使用原生 AWS 服務進行處理、分析、報告、稽核

及存檔功能。• 沒有預付成本，您只需要為您的服務用量支付費用。

您可以在下列頁面中找到不同 AWS SFTP 功能的描述、如何設定及使用 SFTP 伺服器的詳細說明、如何使用不同類型的身分提供者模式、故障診斷提示，以及服務的 API 參考。

若要開始使用 AWS SFTP，請參閱下列內容：

• AWS 轉移至 SFTP 運作方式 (p. 2)• 設定 (p. 3)• 入門 (p. 7)

1

AWS 轉移至 SFTP 使用者指南

AWS 轉移至 SFTP 運作方式AWS 轉移至 SFTP (AWS SFTP) 是一種完全受管的 AWS 服務，可讓您透過安全檔案傳輸通訊協定(SFTP)，將檔案傳入或傳出 Amazon S3 儲存貯體。SFTP 也稱為 Secure Shell (SSH) 檔案傳輸通訊協定。

您可以透過建立 SFTP 伺服器，然後指派使用者使用伺服器，來開始使用 AWS SFTP。若要處理您 SFTP 使用者的傳輸請求，您可以建立 IAM 角色來存取您的 S3 儲存貯體。

若要使用 AWS SFTP，您可以採取下列高層級步驟：

1. 建立 Amazon S3 儲存貯體，如 Amazon S3 需求 (p. 3)中所述。2. 建立 IAM 角色，其中包含兩個 IAM 政策：

• 一個 IAM 政策，包含讓 AWS SFTP 存取您 S3 儲存貯體的許可。此 IAM 政策會判斷您提供給 SFTP 使用者的存取層級為何。

• 另一個 IAM 政策，用來建立與 AWS SFTP 的信任關係。

如需建立 IAM 政策的詳細資訊，請參閱建立 AWS SFTP 的 IAM 政策 (p. 22)。3. (選用) 若您擁有自己的註冊網域，請將您的註冊網域與 SFTP 伺服器建立關聯。

您可以將 SFTP 流量從網域 (例如 example.com) 或子網域 (例如 sftp.accounting.example.com)路由至您的 SFTP 伺服器端點。如需更多詳細資訊，請參閱 使用自訂主機名稱 (p. 19)。

4. 建立 SFTP 伺服器，並指定服務用來對您使用者進行身份驗證的身分提供者類型。

如需身分提供者類型的詳細資訊，請參閱使用身分供應商 (p. 25)。5. 若您使用具備服務受管身分提供者的 SFTP 伺服器，而非自訂身分提供者，請新增一或多個使用者。6. 開啟 SFTP 用戶端，設定連線以使用 SFTP 端點主機名稱做為您希望使用的 SFTP 伺服器。您可以從

AWS SFTP 管理主控台取得此主機名稱。

AWS SFTP 支援任何標準 SFTP 用戶端。一些常用的 SFTP 用戶端如下：

• OpenSSH – 一種 Macintosh 及 Linux 的命令列公用程式。• WinSCP – 一種僅限 Windows 的圖形用戶端。• Cyberduck – 一種 Linux、Macintosh 及 Microsoft Windows 的圖形用戶端。• FileZilla – 一種 Linux、Macintosh 及 Windows 的圖形用戶端。

2

AWS 轉移至 SFTP 使用者指南AWS 註冊

設定下列各節會說明使用 AWS SFTP 服務的必要事前準備。最低限度而言，您需要建立 Amazon S3 儲存貯體，並透過資源類型政策提供該儲存貯體的存取。您的角色也需要建立信任關係。此信任關係會允許 AWS SFTP取得 AWS Identity and Access Management (IAM) 角色來存取您的 S3 儲存貯體，使其可以處理您 SFTP 使用者的檔案傳輸請求。

註冊 AWS 帳號：若要使用 AWS 轉移至 SFTP，您需要一個 AWS 帳戶，提供您所有 AWS 資源、論壇、支援及用量報告的存取權限。若您未使用服務，您將無須支付任何費用。若您已有 AWS 帳戶，您可以跳過此步驟。

註冊 AWS 帳戶

1. 開啟 https://aws.amazon.com，然後選擇 Create an AWS Account (建立 AWS 帳戶)。Note

若您先前已使用 AWS 帳戶根使用者登入資料登入 AWS 管理主控台，請選擇 Sign in to adifferent account (登入不同帳戶)。如果您先前已使用 IAM 登入資料登入主控台，請選擇 Sign-in using root account credentials (使用根帳戶登入資料登入)。接著選擇 Create a new AWSaccount (建立新的 AWS 帳戶)。

部分註冊程序需接收來電，並使用電話鍵盤輸入驗證碼。2. 請遵循線上指示。

如需定價資訊，請參閱 AWS Transfer for SFTP 定價。

如需 AWS 區域可用性的資訊，請參閱「AWS 一般參考」中 AWS 區域與端點內的 AWS 轉移至 SFTP 區域表。

Amazon S3 需求AWS 轉移至 SFTP 會存取您的 Amazon S3 儲存貯體來處理您使用者的傳輸請求，因此您需要在設定 SFTP伺服器時提供儲存貯體。您可以使用現有的儲存貯體，或是建立新的。當您設定使用者時，您會為他們個別指派 IAM 角色。此角色會決定他們對您 S3 儲存貯體所擁有的存取層級。

如需建立新儲存貯體的資訊，請參閱《Amazon Simple Storage Service 主控台使用者指南》中的如何建立S3 儲存貯體？。

IAM 政策及角色需求當您建立 SFTP 使用者時，您會針對使用者存取進行幾項決策。這些決策包括使用者可存取的 Amazon S3儲存貯體、每個 S3 儲存貯體的哪些部分可供存取，以及使用者擁有的權限為何 (例如，PUT 或 GET)。

若要設定存取，您可以建立資源類型 IAM 政策及 IAM 角色，提供該存取資訊。

做為其中一部分，您可以為 SFTP 使用者提供檔案操作目標或來源 Amazon S3 儲存貯體的存取權限。若要執行此作業，請遵循下列高層級步驟，稍後會詳細進行說明：

1. 建立 IAM 角色，並建立與 AWS 轉移至 SFTP 服務的信任關係 (做為此步驟的一部分)。

3

AWS 轉移至 SFTP 使用者指南IAM 政策和角色

2. 在您新的 IAM 角色中，建立新的 IAM 政策。在本主題稍後，您會找到範例政策，可啟用 S3 儲存貯體的存取以使用 SFTP。

3. 將新的 IAM 政策連接到 IAM 角色。4. (選用) 建立縮小範圍政策來進一步限制使用者存取。在本主題稍後，您會找到範例縮小範圍政策，可將使

用者存取限制在 home 目錄。

您可以在以下內容找到如何執行此作業的詳細資訊。

建立 AWS 轉移至 SFTP 的 IAM 政策

1. 在 https://console.aws.amazon.com/iam/ 開啟 IAM 主控台。2. 在導覽窗格中，選擇 Roles (角色)，然後選擇 Create role (建立角色)。

在 Create role (建立角色) 頁面上，確認 AWS service (AWS 服務) 已選擇。3. 選擇 Transfer (傳輸)，然後選擇 Next: Permissions (下一步：許可)。4. 在 Attach permissions policies (連接許可政策) 區段中，選擇 Create Policy (建立政策)。5. 在 Create Policy (建立政策) 頁面上，選擇 JSON 標籤。6. 在出現的編輯器中，將編輯器的內容替換成您希望連接至 IAM 角色的 IAM 政策。

以下是兩個您可以使用的範例 IAM 政策。請將其中一個政策複製並貼到編輯器，然後儲存政策以供後續步驟使用。

以下儲存貯體政策範例會授予您 S3 儲存貯體中物件的讀取/寫入存取。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket_name" ] }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::bucket_name/*" } ]}

以下範例政策是縮小範圍政策，會將使用者的存取限制在僅限 home 目錄。

Note

若要讓縮小範圍政策將 SFTP 使用者鎖定在其 home 目錄，請確認您為他們 home 目錄指派的路徑包含 username。例如，若 username 設為 "bob"，則 home 目錄便需要包含 "bob"。

4

AWS 轉移至 SFTP 使用者指南IAM 政策和角色

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "Optional_path/${transfer:UserName}/*", "Optional_path/${transfer:UserName}" ] } } }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ]}

7. 選擇 Review policy (檢閱政策)，並提供您政策的名稱和描述，然後選擇 Create policy (建立政策)。

接下來，您會建立 IAM 角色並將新的 IAM 政策連接到它。

若要建立一個 IAM 角色

1. 在導覽窗格中，選擇 Roles (角色)，然後選擇 Create role (建立角色)。

在 Create role (建立角色) 頁面上，確認 AWS service (AWS 服務) 已選擇。2. 從服務清單選擇 Transfer (傳輸)，然後選擇 Next: Permissions (下一步：許可)。3. 在 Attach permissions policies (連接許可政策) 區段上，找到並選擇您剛才建立的政策，然後選擇 Next:

Tags (下一步：標籤)。4. (選用) 輸入標籤的金鑰和值，然後選擇 Next: Review (下一步：檢閱)。5. 在 Review (檢閱) 頁面上，輸入您新角色的名稱和描述，然後選擇 Create role (建立角色)。

您現在已建立 IAM 角色，允許 SFTP 代您呼叫 AWS 服務。您已將您建立的 IAM 政策連接至角色，提供SFTP 使用者存取權限。在入門 (p. 7)一節中，此角色和政策會指派給您的 SFTP 使用者。

您可以選擇性的建立縮小範圍政策，將使用者的存取限制在僅限主目錄，如本主題先前所述。如需縮小範圍政策的詳細資訊，請參閱建立縮小範圍政策 (p. 23)。

5

AWS 轉移至 SFTP 使用者指南IAM 政策和角色

如需 IAM 角色的一般資訊，請參閱《IAM 使用者指南》中的建立角色以委派許可給 AWS 服務。 若要進一步了解 S3 資源的資源類型政策，請參閱《Amazon Simple Storage Service 開發人員指南》中的管理您Amazon S3 資源的存取許可。

6

AWS 轉移至 SFTP 使用者指南登入

入門在本入門練習中，您要執行下列操作：

• 登入 AWS 轉移至 SFTP 主控台。• 建立您的第一部 SFTP 伺服器。• 新增使用者。• 使用 SFTP 用戶端執行檔案傳輸。

開始之前，請先完成設定 (p. 3)中的要求。在此步驟中，您要建立 Amazon S3 儲存貯體和 AWS Identity andAccess Management (IAM) 使用者角色。

當您建立 SFTP 伺服器時，您要決定該伺服器如何驗證使用者身份，並提供 Amazon S3 儲存體的存取。本入門練習使用「服務受管身份驗證」，此為 AWS SFTP 管理的身份驗證。在服務受管身份驗證中使用Secure Shell (SSH) 金鑰對。

您也可以整合自己的自訂身份驗證方法，搭配 AWS SFTP 使用。此方法支援密碼和金鑰型的身份驗證。如需自訂身份驗證的詳細資訊，請參閱使用自訂身分供應商 (p. 25)。

初次登入 AWS SFTP 主控台請先建立 Amazon S3 儲存貯體和可存取服務的 IAM 使用者角色，再登入 AWS SFTP 主控台。如需說明，請參閱「設定 (p. 3)」。

執行此作業後，使用下列程序初次登入 AWS 轉移至 SFTP 服務。

初次登入 AWS SFTP 主控台

1. 使用下列其中一種方法導覽至 AWS 轉移至 SFTP 主控台：

• 在瀏覽器的網址列輸入 https://console.aws.amazon.com/transfer/。• 前往 AWS 管理主控台，登入，然後在搜尋方框中輸入 AWS Transfer。

2. 針對 Account ID or alias (帳戶 ID 或別名)，輸入您的帳戶 ID 或別名。3. 針對 IAM user name (IAM 使用者名稱)，輸入您針對 SFTP 建立的使用者角色名稱。4. 針對 Password (密碼)，輸入您的 AWS 帳戶密碼。5. 選擇 Sign In (登入)。

後續步驟

建立 SFTP 伺服器 (p. 7)

建立 SFTP 伺服器您可以在後文中找到如何建立 SFTP 伺服器的資訊。建立伺服器時，您可以使用服務受管 SSH 金鑰或自訂方法，為該伺服器指派身分供應商類型。自訂方法使用 Amazon API Gateway 並讓您整合自有的目錄服務，驗證您的 SFTP 使用者身份並授權。此服務會自動指派唯一識別您伺服器的識別符。

7

AWS 轉移至 SFTP 使用者指南建立 SFTP 伺服器

或者，您可定義自訂的主機名稱。您可使用 Amazon Route 53 服務或使用所選網域名稱系統 (DNS) 服務執行此作業。

您要在特定的 AWS 區域中建立 SFTP 伺服器，以執行指派給該伺服器之 SFTP 使用者的檔案操作請求。您可以將主機名稱指派給伺服器，或根據 DNS 重新導向使用自訂的主機名稱。

您也可以將格式為金鑰/值對標籤的中繼資料指派給伺服器。在建立伺服器的 AWS 區域內，該伺服器的主機名稱必須獨一無二。執行個體化的 SFTP 伺服器和數據傳輸會產生成本。

在此程序中，您要使用服務受管 (SSH 金鑰) 方法建立伺服器，並保持主機名稱空白。

使用 AWS SFTP 建立您的第一部 SFTP 伺服器

1. 開啟位於 https://console.aws.amazon.com/transfer/ 的 AWS SFTP 主控台。2. 在 New SFTP server (新增 SFTP 伺服器) 區段中，選擇 Create Server (建立伺服器)，如下所示。

3. 請執行下列其中一項：

• 如不想使用自訂網域，SFTP 伺服器的 DNS 組態請選擇 None (無)。

在本例中，AWS SFTP 會為您提供 SFTP 伺服器主機名稱。伺服器主機名稱的格式為serverId.server.transfer.regionId.amazonaws.com。

• 如果想要使用已登記的自訂主機名稱，請選擇 Amazon Route 53 DNS alias (Amazon Route 53 DNS別名) 或 Other DNS (其他 DNS)。

如此可指定名稱解析方法，與您的 SFTP 伺服器端點建立關聯。

例如，您的自訂網域可能是 sftp.inbox.example.com。自訂主機名稱會使用您提供且 DNS 服務可解析的 DNS 名稱。DNS 解析程式可使用 Route 53，或使用您自己的 DNS 服務供應商。若要了解 AWS SFTP 如何使用 Route 53 將流量從您的自訂網域路由至 SFTP 端點，請參閱使用自訂主機名稱 (p. 19)。

4. 在 Identity provider (身分供應商) 區段中，選擇 Service managed (服務受管) 在 AWS SFTP 中存放使用者身分和金鑰。

此練習使用服務受管選項。如果選擇 Custom (自訂)，您要提供 API Gateway 端點和 IAM 角色以存取端點。如此即可整合您的目錄服務，驗證您的 SFTP 使用者身份並授權。若要進一步了解使用自訂身分供應商，請參閱使用身分供應商 (p. 25)。

8

AWS 轉移至 SFTP 使用者指南建立 SFTP 伺服器

5. (選用) 針對 Logging role (記錄日誌角色)，選擇啟用您 SFTP 使用者活動 Amazon CloudWatch 記錄日誌的 IAM 角色。

如需設定 CloudWatch 記錄日誌角色的詳細資訊，請參閱監控用量 (p. 28)。6. (選用) 針對 Key (金鑰) 和 Value (值)，輸入一或多個標籤做為金鑰/值對。

選擇 Add tag (新增標籤) 將其他標籤新增至您的伺服器。7. 選擇 Create (建立) 建立您的伺服器。您會前往顯示下列內容的 Servers (伺服器) 頁面，這裡會列出您的

新伺服器。

您的新 SFTP 伺服器狀態需要幾分鐘才會變更成 Online (線上)。此時，您的伺服器會執行您使用者的檔案操作。

9

AWS 轉移至 SFTP 使用者指南新增使用者

後續步驟

新增使用者 (p. 10)

新增使用者如果使用服務受管身分類型，您要將使用者新增至您的 SFTP 伺服器。當您執行此作業時，每個使用者名稱在您伺服器中都必須是唯一的。

每個使用者的屬性中也要存放該使用者的 Secure Shell (SSH) 公有金鑰。服務受管身份驗證必須執行此作業，此為本入門練習所用。當使用者使用 SFTP 用戶端將身份驗證請求傳送至您的 SFTP 伺服器時，您的伺服器會提供使用者的 SSH 私有金鑰。它也會提供此 SFTP 用戶端使用的使用者名稱。

此外，您要指定使用者的 home 目錄，或登陸目錄，並將 IAM 角色指派給使用者。或者，您可提供縮小範圍政策，限制使用者只能存取您 S3 儲存貯體的 home 目錄。

將使用者新增至 SFTP 伺服器

1. 在 Servers (伺服器) 頁面上，選擇您要新增使用者之 SFTP 伺服器旁的核取方塊。

2. 選擇 Add user (新增使用者) 開啟 Add user (新增使用者) 畫面。3. 針對 Username (使用者名稱)，輸入使用者名稱。此使用者名稱的長度必須最少為 3 個字元，最多為 32

個字元。使用者名稱可使用下列字元：a-z、A-Z、0-9、底線和連字號。使用者名稱不能用連字號開頭。

10

AWS 轉移至 SFTP 使用者指南新增使用者

4. 針對 Roles (角色)，選擇您之前建立，能夠存取您 Amazon S3 儲存貯體的 IAM 角色。

您使用IAM 政策及角色需求 (p. 3)的程序建立此 IAM 角色。此 IAM 角色包含能夠存取您 Amazon S3 儲存貯體的 IAM 政策。它也包含在其他 IAM 政策中定義的 AWS SFTP 服務信任關係。

5. (選用) 如IAM 政策及角色需求 (p. 3)中所述，新增縮小範圍政策。若要進一步了解縮小範圍政策，請參閱建立縮小範圍政策 (p. 23)。

6. 針對 Home Directory (主目錄)，選擇 S3 儲存貯體存放使用 AWS SFTP 傳輸的數據。輸入使用者使用其SFTP 用戶端登入時，登陸的 home 目錄路徑。

此參數若保留空白，即使用 Amazon S3 儲存貯體的 root 目錄。在本例中，請確定您的 IAM 角色能夠存取此 root 目錄。

Note

建議您選擇包含使用者之使用者名稱的目錄路徑，以有效利用縮小範圍政策。縮小範圍政策限制使用者只能存取該使用者 home 目錄的 S3 儲存貯體。

7. 針對 SSH public key (SSH 公有金鑰)，輸入 SSH 金鑰對的 SSH 公有金鑰部分。

11

AWS 轉移至 SFTP 使用者指南使用 AWS SFTP 傳輸檔案

金鑰要先經服務驗證，您才能新增新使用者。SSH 金鑰的格式是 ssh-rsa <string>。如需如何產生SSH 金鑰對的說明，請參閱產生 SSH 金鑰 (p. 30)。

8. (選用) 針對 Key (金鑰) 和 Value (值)，輸入一或多個標籤做為金鑰/值對。9. 選擇 Add (新增) 將新使用者新增至您選擇的伺服器。

新的使用者會出現在 Servers (伺服器) 頁面的 Users (使用者) 區段中，如下所示。

後續步驟

使用 AWS SFTP 傳輸檔案 (p. 12)

使用 AWS SFTP 傳輸檔案您在 SFTP 用戶端中指定傳輸操作，透過 AWS SFTP 服務傳輸檔案。AWS SFTP 支援下列 SFTP 用戶端：

• OpenSSH (Macintosh 和 Linux)• WinSCP (僅限 Microsoft Windows)• Cyberduck (Windows、Macintosh 和 Linux)• FileZilla (Windows、Macintosh 和 Linux)

以下內容說明如何使用各用戶端傳輸檔案。

主題• 使用 OpenSSH (p. 13)• 使用 WinSCP (p. 13)

12

AWS 轉移至 SFTP 使用者指南使用 OpenSSH

• 使用 Cyberduck (p. 15)• 使用 FileZilla (p. 16)

使用 OpenSSH使用下列說明使用 OpenSSH 從命令列傳輸檔案。

使用 OpenSSH 命令列公用程式透過 AWS SFTP 傳輸檔案

1. 在 Linux 或 Macintosh 上，開啟命令終端機。2. 在提示中輸入下列命令：% sftp -i transfer-key sftp_user@service_endpoint，

在前面的命令中，sftp_user 是使用者名稱，而 transfer-key 是 SSH 私有金鑰。在此，service_endpoint 是 SFTP 伺服器的端點，如所選 SFTP 伺服器之 AWS SFTP 主控台中所示。

應會出現 sftp 提示。3. 在 sftp 提示中輸入下列命令：sftp> pwd

4. 在下一行中，輸入下列文字：/mybucket/home/sftp_user

在本入門練習中，此 Amazon S3 儲存貯體是檔案傳輸的目標。5. 在下一行中，輸入下列命令：sftp> put filename.txt

put 命令將檔案傳輸至 Amazon S3 儲存貯體。

即會顯示類似下面的訊息，指出正在傳輸檔案或已完成。

Uploading filename.txt to /my-bucket/home/sftp_user/filename.txt

some-file.txt 100% 127 0.1KB/s 00:00

Note

伺服器建立後約需數分鐘，您環境中的 DNS 服務才能解析您的伺服器端點主機名稱。若為測試之用，請使用區域性端點並以 user_name.serverid@service_endpoint 身分登入。如需 AWS SFTP的 AWS 區域和端點清單，請參閱《AWS 一般參考》中 AWS 區域與端點的 AWSTransfer for SFTP。

使用 WinSCP使用下列說明使用 WinSCP 從命令列傳輸檔案。

使用 WinSCP 透過 AWS SFTP 傳輸檔案

1. 開啟 WinSCP 用戶端並選擇 New Session (新增工作階段)。2. 針對 File protocol (檔案協定)，確定已在 Login (登入) 對話方塊中選擇 SFTP。3. 從左邊的資料夾清單中選擇 New Site (新增站點)，如下所示。

13

AWS 轉移至 SFTP 使用者指南使用 WinSCP

4. 針對 Host name (主機名稱)，輸入您的伺服器端點。5. 針對 Username (使用者名稱)，輸入您在新增使用者 (p. 10)中建立的使用者名稱。6. 選擇 Advanced (進階) 開啟 Advanced (進階) 對話方塊，如下所示，然後在左窗格的 SSH 區段中選擇

Authentication (身份驗證)。

7. 從您的檔案系統中瀏覽並選擇 SSH 私有金鑰。8. 如果 WinSCP 能將您的 SSH 私有金鑰轉換成 PPK 格式，如下所示，請選擇 OK (確定)。

9. 選擇 OK (確定) 返回 Login (登入) 對話方塊，然後選擇 Save (儲存)。10. 在如下所示的 Save session as site (將工作階段儲存為站點) 對話方塊中，選擇 OK (確定) 完成您的連線

設定。

11. 執行您的 SFTP 檔案傳輸。

14

AWS 轉移至 SFTP 使用者指南使用 Cyberduck

您可以使用施放方法在目標和來源視窗中複製檔案。您可以使用工具列圖示在 WinSCP 中上傳/下載、刪除、編輯或修改檔案屬性。

Note

因為 Amazon S3 管理物件時間戳記，所以請務必先停用 WinSCP 時間戳記設定，再執行 AWSSFTP 檔案傳輸。若要執行此作業，請在 WinSCP Transfer settings (WinSCP 傳輸設定) 對話方塊中停用 Set permissions (設定許可) 上傳選項和 Preserve timestamp (保留時間戳記) 一般選項。

使用 Cyberduck使用下列說明使用 Cyberduck 從命令列傳輸檔案。

使用 Cyberduck 透過 AWS SFTP 傳輸檔案

1. 啟動 Cyberduck 並選擇 Open Connection (開啟連線) 開啟 Connection (連線) 對話方塊。2. 針對 Protocol (協定)，選擇 SFTP (SSH File Transfer Protocol) (SFTP (SSH 檔案傳輸協定))。3. 在 AWS SFTP Servers (伺服器) 頁面上，選擇您要使用之 SFTP 伺服器名稱旁的核取方塊。4. 針對 Server (伺服器)，輸入服務端點，如下所示。

5. 針對 Username (使用者名稱)，輸入您在新增使用者 (p. 10)中建立的使用者名稱。6. 針對 SSH Private Key (SSH 私有金鑰)，選擇 SSH 私有金鑰。7. (選用) 針對 Path (路徑)，選擇 More Options (更多選項)，然後輸入目標或來源 Amazon S3 目錄。8. 選擇 Connect (連線)。

Amazon S3 目錄會在 SFTP 用戶端的窗格之一中開啟。9. 根據檔案所在位置，執行以下其中一項：

• 在本機目錄中 (來源)，選擇您要傳輸的檔案，然後拖放至 Amazon S3 目錄 (目錄)。• 在 Amazon S3 目錄中 (來源)，選擇您要傳輸的檔案，然後拖放至本機目錄 (目錄)。

Cyberduck 傳輸檔案。

15

AWS 轉移至 SFTP 使用者指南使用 FileZilla

使用 FileZilla使用下列說明使用 FileZilla 從命令列傳輸檔案。

設定 FileZilla 執行 SFTP 檔案傳輸

1. 選擇 Connect (連線) 開啟 Connection (連線) 對話方塊。

2. 在頂端的清單中，選擇 SFTP 為協定。3. 針對 Port (連接埠)，輸入 22。4. 針對 Server (伺服器)，輸入列在 AWS SFTP 主控台中供選取的 SFTP 伺服器

hostname.service_endpoint。5. 針對 Username (使用者名稱)，輸入您在新增使用者 (p. 10)中建立的使用者名稱。使用

username.serverId 格式。serverId 會列在 AWS SFTP 主控台中。6. 選擇 Browse (瀏覽) 並將 SSH 私有金鑰上傳至此 FileZilla 連線。7. 選擇 Connect (連線)。

Note

如果中斷正在進行的檔案傳輸，AWS SFTP 可能會在您的 S3 儲存貯體中寫入部分物件。如果中斷上傳，請檢查 S3 儲存貯體中的檔案大小是否符合來源物件的檔案大小，再繼續作業。

16

AWS 轉移至 SFTP 使用者指南尋找伺服器資訊

編輯伺服器您可以使用 AWS 管理主控台找出 AWS 轉移至 SFTP 伺服器的資訊並設定它，也可以將他們置放在線上或離線環境。

主題• 尋找您伺服器的資訊 (p. 17)• 使 SFTP 伺服器上線或離線 (p. 18)• 使用自訂主機名稱 (p. 19)• 設定您的伺服器 (p. 20)

尋找您伺服器的資訊在 AWS 轉移至 SFTP 主控台上，您可以尋找所有位於所選取 AWS 區域內的 SFTP 伺服器清單。

您也可以找到個別 SFTP 伺服器的詳細資訊及屬性清單。伺服器屬性包括：狀態、服務端點、自訂主機名稱、記錄日誌角色、使用者及標籤。

尋找 AWS 區域中存在的 SFTP 伺服器清單

• 登入 AWS 管理主控台，在 https://console.aws.amazon.com/transfer/ 開啟 AWS SFTP 主控台。

若您在目前的 AWS 區域中有一或多個 AWS SFTP 伺服器，主控台會開啟並顯示您伺服器的清單。若您沒有看到伺服器清單，請確認您位於正確的 AWS 區域內。您也可以從導覽窗格選擇 Servers (伺服器)。

您可以在下方查看範例 Servers (伺服器) 清單。

尋找 SFTP 伺服器上的詳細資訊

1. 開啟 AWS SFTP 主控台，導覽至 Servers (伺服器) 頁面。2. 在 Servers (伺服器) 頁面上，選擇其名稱旁的核取方塊，來選擇具備您感興趣屬性的 SFTP 伺服器。3. 在 Server ID (伺服器 ID) 欄中選擇識別符，查看 Server Configuration (伺服器組態) 頁面，如下所示。

17

AWS 轉移至 SFTP 使用者指南使伺服器上線或離線

使 SFTP 伺服器上線或離線當 SFTP 伺服器在線上時，您可以使用它來進行 SFTP 檔案操作。您可以使用 AWS SFTP 主控台，使您的伺服器上線，或是使其離線。

使 SFTP 伺服器上線

1. 開啟 AWS SFTP 主控台，然後在導覽窗格中選擇 Servers (伺服器)。2. 透過選擇其名稱旁邊的核取方塊，選擇離線的 SFTP 伺服器。3. 針對 Actions (動作)，選擇 Start (啟動)。

SFTP 伺服器可能需要數分鐘的時間才能從離線切換為上線。

Note

當您停止 SFTP 伺服器以使其離線時，目前您仍需為該伺服器支付服務費用。若要避免額外的SFTP 伺服器類型費用，請刪除該伺服器。

使 SFTP 伺服器離線

1. 開啟 AWS SFTP 主控台，然後在導覽窗格中選擇 Servers (伺服器)。2. 透過選擇其名稱旁邊的核取方塊，選擇上線的 SFTP 伺服器。3. 針對 Actions (動作)，選擇 Stop (停止)。

當 SFTP 伺服器在啟動中或是關機中時，SFTP 伺服器將無法進行檔案操作。主控台不會顯示啟動中和停止中狀態。

若您遇到錯誤狀況 START_FAILED 或 STOP_FAILED，請聯絡 AWS Support 以協助您解決問題。

18

AWS 轉移至 SFTP 使用者指南自訂主機名稱

使用自訂主機名稱您的「伺服器主機名稱」是使用者連線到您 AWS SFTP 伺服器時，在其 SFTP 用戶端輸入的主機名稱。您可以在使用 AWS SFTP 時，使用您為伺服器主機名稱註冊的自訂網域。例如，您可以使用自訂主機名稱，像是 mysftpserver.mysubdomain.domain.com。

若要從您註冊的自訂網域將流量重新導向到您的伺服器端點，您可以使用 Amazon Route 53 或任何 DNS 提供者。Route 53 是 AWS SFTP 原生支援的 DNS 服務。

在主控台上，您可以選擇其中一個選項來設定自訂主機名稱：

• Amazon Route 53 DNS alias (Amazon Route 53 DNS 別名) – 若您希望使用的主機名稱是向 Route 53 註冊的。您便可以輸入主機名稱。

• Other (其他) – 若您希望使用的主機名稱是向另一個 DNS 提供者註冊的。您便可以輸入主機名稱。• None (無) – 使用 SFTP 伺服器的端點，而非自訂主機名稱。

當您建立新的 SFTP 伺服器或編輯現有 SFTP 伺服器的組態時，便會設定此選項。如需建立新 SFTP 伺服器的詳細資訊，請參閱建立 SFTP 伺服器 (p. 7)。如需編輯現有 SFTP 伺服器組態的詳細資訊，請參閱設定您的伺服器 (p. 20)。

如需針對伺服器主機名稱使用您自己網域，以及 AWS SFTP 使用 Route 53 方式的詳細資訊，請參閱下列各節。

搭配 Amazon Route 53 使用自訂主機名稱當您使用 AWS SFTP 時，您可以使用 Amazon Route 53 做為您的 DNS 提供者。在您搭配 Route 53 使用網域前，您會先註冊網域。如需執行此作業的詳細資訊，請參閱《Amazon Route 53 開發人員指南》中的網域註冊的運作方式。

當您使用 Route 53 提供 DNS 路由給您的 SFTP 伺服器時，AWS SFTP 會使用您輸入的自訂主機名稱來擷取其託管區域。當 SFTP 擷取託管區域時，會發生三件事：

1. 若您是第一次使用 Route 53 而因此沒有託管區域，AWS SFTP 會新增一個新的託管區域及 CNAME 記錄。此 CNAME 記錄的值是您 SFTP 伺服器的端點主機名稱。CNAME 是替代網域名稱。

2. 若您在 Route 53 中具有沒有任何 CNAME 記錄的託管區域，AWS SFTP 會新增 CNAME 記錄至該託管區域。

3. 若服務偵測到 CNAME 記錄已存在於託管區域內，您會看到一個錯誤，指出 CNAME 記錄已存在。在此情況下，您需要將 CNAME 記錄的值變更為 AWS SFTP 伺服器的主機名稱。如需詳細資訊，請參閱《AmazonCloudFront 開發人員指南》中的透過新增替代網域名稱 (CNAME) 來使用檔案的自訂 URL。

Note

若此步驟是伺服器建立流程的一部分，您的伺服器便已成功建立，且將您的自訂主機名稱設為None (無)。

如需 Route 53 中託管區域的詳細資訊，請參閱《Amazon Route 53 開發人員指南》中的託管區域。

搭配替代 DNS 提供者使用自訂主機名稱當您使用 AWS SFTP 時，您也可以使用 Amazon Route 53 之外的 DNS 提供者。若您使用替代 DNS 提供者，您需要確認來自您網域的流量會導向您的 AWS SFTP 伺服器端點。

若要執行此作業，請將您的網域設為 SFTP 伺服器的端點主機名稱。端點主機名稱在主控台中看起來會如下：serverid.server.transfer.region.amazonaws.com。

19

AWS 轉移至 SFTP 使用者指南設定您的伺服器

設定您的伺服器當您建立新的 SFTP 伺服器時，您可以選擇性的指派自訂主機名稱，然後使用 Amazon CloudWatch 啟用Amazon S3 事件記錄日誌。您也可以於稍後從主控台變更 SFTP 伺服器的 DNS 或記錄日誌組態。

Note

在您建立伺服器之後，您便無法變更伺服器的身分提供者類型。若要變更身分提供者，請刪除伺服器然後使用您希望的身分提供者建立新的伺服器。

編輯 SFTP 伺服器組態

1. 開啟 AWS SFTP 主控台 (https://console.aws.amazon.com/transfer/)，然後在導覽窗格中選擇 Servers(伺服器)。

2. 在 Servers (伺服器) 頁面上，選擇其名稱旁的核取方塊，來選擇您欲編輯其組態的 SFTP 伺服器。3. 選擇 Edit (編輯) 來開啟 Edit Configuration (編輯組態) 頁面，如下所示。

4. (選用) 針對 Custom hostname (自訂主機名稱)，從 None (無)、Amazon Route 53 alias (AmazonRoute 53 別名) 或 Other DNS provider (其他 DNS 提供者) 中選擇其中一項。

若您希望使用您註冊的自訂主機名稱，請選擇 Amazon Route 53 alias (Amazon Route 53 別名) 或Other DNS provider (其他 DNS 提供者)。執行此作業會指定與您 SFTP 伺服器端點相關聯的名稱解析方法。自訂網域的範例為 sftp.inbox.example.com。

「自訂主機名稱」會使用您提供的 DNS 名稱，以及一個服務可解析的 DNS。DNS 解析程式可使用Route 53，或使用您自己的 DNS 服務供應商。若要了解 AWS SFTP 使用 Route 53，將流量從您的自訂網域路由至 SFTP 端點的方式，請參閱 使用自訂主機名稱 (p. 19)。Amazon Route 53 是 AWSSFTP 原生支援的 DNS 服務。如需詳細資訊，請參閱《Amazon Route 53 開發人員指南》中的什麼是Amazon Route 53？。

5. (選用) 針對 Logging role (記錄日誌角色)，選擇啟用您 SFTP 使用者活動 CloudWatch 記錄日誌的 AWSIdentity and Access Management (IAM) 角色。

如需設定記錄日誌角色的詳細資訊，請參閱監控用量 (p. 28)。6. 選擇 Save (儲存) 以儲存您的組態。

20

AWS 轉移至 SFTP 使用者指南

編輯使用者您可以在 AWS SFTP 管理主控台中編輯使用者的屬性。在主控台的 Server Configuration (伺服器組態) 頁面上，您可以編輯使用者的角色、政策和主目錄。您也可以新增和刪除 Secure Shell (SSH) 公有金鑰和標籤。

若要編輯使用者的屬性，請參閱以下程序。若要了解建立 AWS SFTP 的 IAM 政策，請參閱建立 AWS SFTP的 IAM 政策 (p. 22)。

Note

您無法在新增使用者之後編輯使用者名稱。若要變更使用者的使用者名稱，請使用新的使用者名稱建立新的使用者，然後刪除您不再需要的使用者。

編輯使用者的屬性

1. 登入 AWS 管理主控台，在 https://console.aws.amazon.com/transfer/ 開啟 AWS SFTP 主控台。2. 在導覽窗格上，選擇 Servers (伺服器)。3. 在 Server Configuration (伺服器組態) 頁面上，在 Users (使用者) 區段中選擇使用者名稱來檢視 User

Configuration (使用者組態) 頁面，如下所示。

4. 選擇 Add SSH public key (新增 SSH 公有金鑰) 來將新的 SSH 公有金鑰新增至使用者。或者，在清單中選擇已指派的 SSH 公有金鑰，然後選擇 Delete (刪除) 來從使用者定義中移除該金鑰。

SSH 金鑰只會用於使用 Amazon API Gateway 身份驗證方法的 SFTP 伺服器，又稱為自訂身份驗證方法。如需如何產生 SSH 金鑰對的資訊，請參閱產生 SSH 金鑰 (p. 30)。

5. 選擇 Manage tags (管理標籤) 來新增、移除或修改與此使用者相關聯的現有標籤。6. 選擇 Edit (編輯) 來檢視 Edit Configuration (編輯組態) 頁面，如下所示。

21

AWS 轉移至 SFTP 使用者指南建立 IAM 政策

7. (選用) 針對 Access Info (存取資訊) 選擇 IAM 角色，來修改目前為使用者指派的 AWS Identity andAccess Management (IAM) 角色。

如需如何為 AWS SFTP 建立必要 IAM 角色的資訊，請參閱IAM 政策及角色需求 (p. 3)。AWS SFTP 的IAM 角色包含將存取權限提供給您 Amazon S3 儲存貯體的 IAM 政策。它也包含了另一個 IAM 政策，該政策會建立與 AWS SFTP 的信任關係 (定義在許可政策中)。

8. (選用) 選擇新的政策選項來修改 Policy Info (政策資訊)。

Note

若您在 IAM 主控台中變更了範圍縮小政策，請在 Policy Info (政策資訊) 下方重新新增修改後政策，來散佈變更。如需更多詳細資訊，請參閱 建立縮小範圍政策 (p. 23)。

9. (選用) 選擇您希望用來存放 AWS SFTP 所傳輸資料的新 Amazon S3 儲存貯體，來修改 Home Directory(主目錄)。輸入指向目錄的路徑，您的使用者會在使用 SFTP 用戶端登入時進入該目錄。

Note

我們建議您選擇包含使用者名稱的目錄路徑。

若您將此參數維持空白，則會使用您 Amazon S3 儲存貯體的 root 目錄。請確認您的角色可提供儲存貯體根的存取權限。

10. 選擇 Save (儲存) 儲存變更。

建立 AWS SFTP 的 IAM 政策AWS Identity and Access Management (IAM) 政策是一種陳述式 (通常是 JSON 格式)，允許資源的特定層級存取。

您可以使用 IAM 政策，定義您希望允許 SFTP 使用者執行及無法執行的檔案操作。您也可以使用 IAM 政策來定義您希望讓使用者存取的 Amazon S3 儲存貯體。若要為使用者指定這些政策，您可以建立 AWS SFTP的 IAM 角色，並使 IAM 政策與信任關係與其建立關聯。

每個 SFTP 使用者都會獲得指派一個 IAM 角色。當使用者登入 SFTP 伺服器時，AWS SFTP 會取得映射到使用者的 IAM 角色。若要了解建立 IAM 角色以提供使用者 Amazon S3 儲存貯體的存取權限，請參閱以下內容。如需如何建立角色及委派許可的資訊，請參閱《IAM 使用者指南》中的建立角色來將許可委派給 AWS服務。

AWS SFTP 使用的 IAM 角色類型稱為服務角色。

主題

22

AWS 轉移至 SFTP 使用者指南建立 S3 儲存貯體存取政策

• 建立 Amazon S3 儲存貯體的存取政策 (p. 23)• 建立縮小範圍政策 (p. 23)

建立 Amazon S3 儲存貯體的存取政策以下，您可以查看如何建立 IAM 政策，允許對特定 Amazon S3 儲存貯體進行讀取及寫入存取。指派擁有此IAM 政策的 IAM 角色給您的 SFTP 使用者，可讓該使用者對指定 S3 儲存貯體進行讀取/寫入存取。

以下政策可提供 Amazon S3 儲存貯體的程式設計讀取及寫入存取權限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": ["arn:aws:s3:::bucketname"] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": ["arn:aws:s3:::bucketname/*"] } ]}

ListBucket 動作需要對儲存貯體本身的許可。PUT、GET 和 DELETE 動作需要物件許可。因為這些是不同的項目，他們會使用不同的 Amazon Resource Name (ARN) 來指定。

若您的儲存貯體已針對 AWS Key Management Service (AWS KMS) 加密啟用，您便需要在政策中啟用額外的動作。如需 AWS KMS 的詳細資訊，請參閱什麼是 AWS Key Management Service？

若要進一步縮小您使用者存取的範圍，直到僅限指定 S3 儲存貯體的 home 目錄，請參閱建立縮小範圍政策 (p. 23)。

建立縮小範圍政策「縮小範圍政策」是一種 AWS Identity and Access Management (IAM) 政策，會將 AWS SFTP 使用者限制在 S3 儲存貯體的特定部分。它會透過即時評估存取來執行此作業。

您可以在需要將 S3 儲存貯體特定部分的相同存取權限給予使用者群組時，使用縮小範圍政策。例如，使用者群組可能只需要存取 home 目錄。該使用者群組會共享相同的 IAM 角色。

若要建立縮小範圍政策，請在您的 IAM 政策中使用以下政策變數：

• ${transfer:HomeBucket}

• ${transfer:HomeDirectory}

• ${transfer:HomeFolder}

• ${transfer:UserName}

23

AWS 轉移至 SFTP 使用者指南建立縮小範圍政策

Note

您無法在 IAM 角色定義中使用先前列出的變數做為政策變數。您需要在 IAM 政策中建立這些變數，然後在設定您的使用者時直接提供他們。同樣的，您無法在此縮小範圍政策中使用${aws:Username} 變數。此變數會指向 IAM 使用者名稱，而非 AWS SFTP 所要求的使用者名稱。

縮小範圍政策的範例會顯示在以下的程式碼範例中。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingOfUserFolder", "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::${transfer:HomeBucket}" ], "Condition": { "StringLike": { "s3:prefix": [ "${transfer:HomeFolder}/*", "${transfer:HomeFolder}" ] } } }, { "Sid": "AWSTransferRequirements", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Sid": "HomeDirObjectAccess", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObjectVersion", "s3:DeleteObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::${transfer:HomeDirectory}*" } ]}

在適當位置使用先前的政策，當使用者登入時，他們便只能存取其主目錄中的物件。在連線時，AWS SFTP會將這些變數替換成適用於該使用者的適當值。這樣做可讓將相同政策文件套用到多名使用者的過程變得更為容易。此方法可減少管理您使用者 Amazon S3 儲存貯體存取權限時所帶來的 IAM 角色和政策管理額外負荷。

您也可以使用縮小範圍政策，根據您的商業需求，自訂每一位使用者的存取。如需詳細資訊，請參閱《IAM使用者指南》中的 AssumeRole、AssumeRoleWithSAML 及 AssumeRoleWithWebIdentity 許可。

24

AWS 轉移至 SFTP 使用者指南自訂身分供應商

使用身分供應商您可以透過 RESTful 界面提供 Amazon API Gateway 方法，將現有身分供應商與 AWS SFTP 整合。AWSSFTP 會呼叫此方法以驗證您的 SFTP 使用者。

RESTful 界面必須包含單一方法，以驗證使用者並授權他們存取 Amazon S3 儲存貯體。設定 API 方法之後，請於使用主控台或 AWS SFTP API 操作建立新伺服器時，將此方法連接至您的 SFTP 伺服器。

主題• 使用自訂身分供應商 (p. 25)

使用自訂身分供應商API Gateway 可讓您以安全的方式建立並提供 API。API Gateway 提供的 HTTPS 端點可安全傳輸所有傳入的 API 呼叫。API Gateway 提供的身份驗證方法名稱為 AWS_IAM，可提供 AWS 內部使用的相同 IAM 身份驗證。如果啟用 AWS_IAM，則只有具呼叫客戶 API 之明確許可的發起人可連接其 API Gateway 方法。為了讓您使用 AWS SFTP，發起人必須啟用 AWS Identity and Access Management (IAM)，並提供 IAM 角色以及可讓 AWS SFTP 呼叫其 API 方法的許可。如需 API Gateway 服務的詳細資訊，請參閱《API Gateway開發人員指南》。

使用 API Gateway 進行自訂身份驗證

1. 從 AWS 網站下載 AWS CloudFormation 範本。

這個 AWS SFTP AWS CloudFormation 範本可建立功能齊全的實作，該實作是以 AWS Lambda 函數原型為後端。部署這個範本是整合自訂身分供應商最簡單的方式。

2. 設定 SFTP 伺服器的 API Gateway 身份驗證方法。

載入範本並建立方法之後，請移至 API Gateway 主控台實作您的方法內文。

下圖顯示此方法的範本。在此範例中，方法是以 Lambda 函數為後端，但也可能是許多其他整合類型。

3. 測試您的方法，確認其可成功驗證有效的使用者 (而不是驗證無效的使用者)。

以下螢幕擷取畫面顯示 API Gateway 中的成功自訂身份驗證方法測試。

25

AWS 轉移至 SFTP 使用者指南自訂身分供應商

4. 建立您的伺服器，並選擇 Custom (自訂) 做為 Identity provider (身分供應商) 類型，如下所示。

5. 輸入您剛建立的 API Gateway 端點 URL，以及先前為了提供服務存取權而建立的 IAM 角色，以呼叫此API Gateway。

您的 API Gateway 必須使用 /servers/serverId/users/username/config 資源路徑來實作單一方法。serverId 和 username 是來自 RESTful 資源路徑。

如果 AWS SFTP 嘗試代您的使用者進行密碼身份驗證，服務就會提供 Password: 標頭欄位。若沒有Password: 標頭，服務即假設 AWS SFTP 會嘗試代您的使用者進行公有金鑰身份驗證，以驗證使用者。

此方法應一律傳回 HTTP 狀態 200。任何其他 HTTP 狀態碼均代表 API 存取錯誤。

回應內文應為下列形式的 JSON 文件。

26

AWS 轉移至 SFTP 使用者指南自訂身分供應商

{ "Role": "IAM role with configured S3 permissions", "PublicKeys": [ "ssh-rsa public-key1", "ssh-rsa public-key2" ], "Policy": "STS Assume role scope down policy", "HomeDirectory": "User's home directory"}

Role 欄位表示身份驗證成功。在執行密碼身份驗證時 (亦即提供 Password: 標頭的情況)，您可以省略SSH 公有金鑰。此外，Policy 和 HomeDirectory 欄位是選用的。若未提供 home 目錄，則 AWS SFTP會將值預設為 Amazon S3 儲存貯體的根存取。您指定的角色必須具備 HomeDirectory 路徑的存取權。如果使用者不存在或未獲存取此伺服器的授權，HTTP 回應內文應為空白。

27

AWS 轉移至 SFTP 使用者指南啟用 CloudTrail 記錄日誌

監控用量您可以使用 Amazon CloudWatch 和 AWS CloudTrail 監控您 SFTP 伺服器中的活動。如需進一步的分析，您也可以將 SFTP 伺服器活動記錄成可閱讀、近乎即時的指標。

啟用 AWS CloudTrail 記錄日誌您可以使用 AWS CloudTrail 監控 AWS SFTP API 呼叫。透過監控 API 呼叫，您可以取得有用的安全及操作資訊。如需如何使用 CloudTrail 及 AWS SFTP 的詳細資訊，請參閱使用 AWS CloudTrail 記錄 AWSTransfer for SFTP API 呼叫 (p. 33)。

使用 CloudWatch 記錄活動若要啟用 Amazon CloudWatch 記錄日誌，您可以藉由提供 IAM 角色來開始。您可以建立 SFTP 伺服器 (p. 7)或編輯現有的 SFTP 伺服器 (p. 20)，來執行此作業。如需 CloudWatch 的詳細資訊，請參閱《Amazon CloudWatch 使用者指南》中的什麼是 Amazon CloudWatch？及什麼是 Amazon CloudWatch 日誌？。

為您的 SFTP 伺服器啟用 CloudWatch 記錄日誌

1. 建立 IAM 政策，允許 CloudWatch 記錄日誌 (如下所示)。2. 建立 IAM 角色並連接政策。SFTP 伺服器會取得此角色，並用它來代您呼叫 AWS 服務。3. 建立 AWS SFTP 和 AWS 間的信任關係。

Note

AWS 轉移至 SFTP 不會列在服務中，因此請選擇 Storage Gateway (儲存體閘道) 做為因應措施來建立角色。編輯信任關係，將 storagegateway 替換成 transfer，做為服務委託人。

使用下列內容來建立您自己的 IAM 政策，允許 CloudWatch 記錄日誌。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ]}

政策也需要信任關係。

28

AWS 轉移至 SFTP 使用者指南記錄活動

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transfer.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": {} } ]}

若要檢視日誌，請在 Server configuration (伺服器組態) 頁面中選擇 View logs (檢視日誌)。

選擇 View logs (檢視日誌) 來將您傳送至您伺服器的 CloudWatch 頁面。在該頁面上，您可以查看使用者身份驗證的記錄 (成功和失敗)、資料上傳 (PUT 操作)，以及資料下載 (GET 操作)。

29

AWS 轉移至 SFTP 使用者指南產生 SSH 金鑰

管理安全您可以在以下內容找到相關主題，討論使用 SSH 金鑰以及在 Amazon S3 儲存貯體中安全地存放資料。您可以在此處找到相關資訊，了解如何產生 SSH 金鑰、如何執行 SSH 金鑰輪換，以及如何加密您的 AmazonS3 待用資料。

主題• 產生 SSH 金鑰 (p. 30)• 輪換 SSH 金鑰 (p. 31)• 加密您的資料 (p. 32)• 使用 AWS CloudTrail 記錄 AWS Transfer for SFTP API 呼叫 (p. 33)

產生 SSH 金鑰您可以設定 SFTP 伺服器，使用受服務管理的身份驗證方法對使用者進行身份驗證，其中使用者名稱和 SSH金鑰都存放在服務內。使用者的公有 SSH 金鑰會做為使用者的屬性上傳至 SFTP 伺服器。當使用者請求檔案傳輸操作時，使用者的名稱和私有金鑰便會由 SFTP 用戶端傳輸，以讓 SFTP 伺服器進行驗證。在驗證之後，便會執行 SFTP 檔案操作。每個使用者都可以針對個別伺服器上的檔案擁有多個公有 SSH 金鑰。如需了解每位使用者可存放的金鑰數量限制，請參閱 AWS 一般參考中的 AWS Transfer for SFTP 限制。

SFTP 伺服器只能使用單一方法對使用者進行身份驗證，一旦建立伺服器，便無法變更該方法。做為使用SSH 金鑰的替代方案，您可以使用自訂身分提供者對使用者進行身份驗證，允許您使用 API 閘道端點插入現有的身分提供者。如需本主題的詳細資訊，請參閱??? (p. 25)。

建立 SSH 金鑰對的方法有很多。在 macOS、Linux 或 UNIX 作業系統上，您可以在命令列界面使用 ssh-keygen 命令來執行此作業。以下是下方所列命令的 ssh-keygen 輸出範例。

ssh-keygen -P "" key_name

當您如上所述執行 ssh-keygen 命令時，它會在目前的目錄內以檔案的型式建立公有和私有金鑰。

30

AWS 轉移至 SFTP 使用者指南在 Windows 上建立 SSH 金鑰

在 Windows 上建立 SSH 金鑰Windows 會使用稍微不同的 SSH 金鑰對格式。公有金鑰的格式必須是 PUB 格式，私有金鑰的格式則必須是 PPK 格式。在 Windows 上，您可以使用 PuTTYgen 以適當的格式建立 SSH 金鑰對。您也可以使用PuTTYgen，將使用 ssh-keygen 產生的私有金鑰轉換成 PPK 檔案。若您向 WinSCP 提供並非 PPK 格式的私有金鑰檔案，該 SFTP 用戶端會為您將金鑰轉換成 PPK 格式。

若要檢視在 Windows 上使用 PuTTYgen 建立 SSH 金鑰的教學，請參閱 SSH.com 網站。

輪換 SSH 金鑰我們建議您遵循安全最佳實務，輪換您的 SSH 金鑰。通常，此輪換會做為安全政策的一部分指定，並以某種自動化的方式實作。取決於安全層級，針對高度敏感的通訊，一個 SSH 金鑰對可能只會使用一次。這樣做可消除任何因存放金鑰所帶來的風險。但是，存放 SSH 登入資料一段時間，並設定間隔避免為 SFTP 使用者帶來不必要的負擔更為常見。常見的間隔是三個月。

執行 SSH 金鑰輪換的方法有兩種：

• 針對單一使用者，可在主控台中刪除 SSH 公有金鑰，並上傳新的 SSH 公有金鑰。• 針對多個使用者，您可以使用 UpdateUsers API 命令及 JSON 資料檔案更新現有的使用者。

為單一現有使用者執行金鑰輪換

1. 在 Servers (伺服器) 頁面上，選擇擁有您欲替換其 SSH 公有金鑰使用者的伺服器。

該使用者的頁面隨即開啟，如下所示。

2. 選擇您要輪換的 SSH 公有金鑰 (指紋)，然後選擇 Delete (刪除)。3. 針對 Confirm Deletion (確認刪除) 輸入文字 delete 來確認刪除操作，接著選擇 Delete (刪除)，如下所

示。

31

AWS 轉移至 SFTP 使用者指南加密您的資料

4. 選擇 Add SSH public key (新增 SSH 公有金鑰) 來查看 Add key (新增金鑰) 畫面，如以下所示。

您會返回 User configuration (使用者組態) 畫面，而您剛剛上傳的新 SSH 公有金鑰隨即會顯示在 SSH公有金鑰區段中。

若要為多個使用者執行 SSH 公有金鑰輪換，請準備適當的 JSON 資料檔案，發出 UpdateUser API 命令。

加密您的資料AWS 轉移至 SFTP 會使用您為 Amazon S3 儲存貯體設定的預設加密選項來加密您的資料。當您在儲存貯體上啟用預設加密時，存放於儲存貯體中的所有物件都會加密。這些物件的加密是使用伺服器端的加密搭配 Amazon S3 受管金鑰 (SSE-S3) 或 AWS KMS 受管金鑰 (SSE-KMS)。如需伺服器端加密的資訊，請參閱《Amazon Simple Storage Service 開發人員指南》中的使用伺服器端加密保護資料。

下列步驟會示範如何在 AWS 轉移至 SFTP 中加密資料。

在 AWS SFTP 中允許加密

1. 為您的 Amazon S3 儲存貯體啟用預設加密。如需說明，請參閱《Amazon Simple Storage Service 開發人員指南》中的如何啟用 S3 儲存貯體的預設加密？

2. 更新用於 SFTP 使用者，授予必要 Key Management Service (KMS) 許可的 Identity and AccessManagement (IAM) 角色政策。

3. 若您擁有縮小範圍政策，請更新用於 SFTP 使用者，授予必要 KMS 許可的 IAM 政策。

以下範例會顯是一個 IAM 政策，授予 AWS 轉移至 SFTP 使用 KMS 加密所需要的最低許可。

{ "Sid": "Stmt1544140969635", "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey" ], "Effect": "Allow",

32

AWS 轉移至 SFTP 使用者指南使用 AWS CloudTrail 記錄 API 呼叫

"Resource": "arn:aws:kms:region:account-id:key/kms-key-id"}

Note

您在此政策中指定的 KMS 金鑰 ID 必須與步驟 1 中為預設加密指定的 ID 相同。必須在 KMS 金鑰政策中允許根。如需 KMS 金鑰政策的資訊，請參閱《AWS Key ManagementService Developer Guide》中的在 AWS KMS 中使用金鑰政策。

使用 AWS CloudTrail 記錄 AWS Transfer for SFTPAPI 呼叫

AWS Transfer for SFTP 是與 AWS CloudTrail 整合的一種服務，可提供由使用者、角色或 AWS 服務在AWS Transfer for SFTP 中所採取動作的記錄。CloudTrail 會將 AWS Transfer for SFTP 的所有 API 呼叫做為事件擷取。擷取的呼叫包括從 AWS Transfer for SFTP 主控台進行的呼叫，以及針對 AWS Transfer forSFTP API 操作的程式碼呼叫。如果您建立線索，就可以持續將 CloudTrail 事件傳送至 Amazon S3 儲存貯體，包括 AWS Transfer for SFTP 的事件。如果您不設定追蹤記錄，仍然可以透過 CloudTrail 主控台中的Event history (事件歷史記錄) 檢視最新的事件。使用由 CloudTrail 收集的資訊，您就可以判斷送至 AWSTransfer for SFTP 的請求、提出請求的 IP 地址、提出請求的對象、提出請求的時間，以及其他詳細資訊。

若要進一步了解 CloudTrail，請參閱 AWS CloudTrail User Guide。

CloudTrail 中的 AWS Transfer for SFTP 資訊當您建立帳戶時，系統會在您的 AWS 帳戶中啟用 CloudTrail。當 AWS Transfer for SFTP 中發生活動時，該活動會記錄在 CloudTrail 事件中，其他 AWS 服務事件則記錄於 Event history (事件歷程記錄)。您可以檢視、搜尋和下載 AWS 帳戶的最新事件。如需詳細資訊，請參閱使用 CloudTrail 事件歷程記錄檢視事件。

如需您 AWS 帳戶中正在進行事件的記錄 (包含 AWS Transfer for SFTP 的事件)，請建立線索。追蹤記錄可讓 CloudTrail 將日誌檔案交付到 Amazon S3 儲存貯體。依預設，當您在主控台建立追蹤時，該追蹤會套用到所有 AWS 區域。該追蹤會記錄來自 AWS 分割區中所有區域的事件，並將日誌檔案交付到您指定的Amazon S3 儲存貯體。此外，您可以設定其他 AWS 服務，以進一步分析和處理 CloudTrail 日誌中所收集的事件資料。如需詳細資訊，請參閱下列內容：

• 建立追蹤的概觀• CloudTrail 支援的服務和整合• 設定 CloudTrail 的 Amazon SNS 通知• 接收多個區域的 CloudTrail 日誌檔案及接收多個帳戶的 CloudTrail 日誌檔案

CloudTrail 會記錄所有 AWS Transfer for SFTP 動作，並載於 Actions API 參考中。例如，對 、CreateServer、ListUsers 及 StopServer 動作發出的呼叫會在 CloudTrail 日誌檔案中產生項目。

每一筆事件或記錄項目都會包含產生請求者的資訊。身分資訊可協助您判斷下列事項：

• 該請求是否使用根或 AWS Identity and Access Management (IAM) 使用者登入資料提出。• 提出該請求時，是否使用了特定角色或聯合身分使用者的暫時安全登入資料.• 該請求是否由另一項 AWS 服務提出。

如需詳細資訊，請參閱 CloudTrail 使用者身分元素。

33

AWS 轉移至 SFTP 使用者指南了解 AWS Transfer for SFTP 日誌檔項目

了解 AWS Transfer for SFTP 日誌檔項目追蹤記錄是一種組態，能讓事件以日誌檔案的形式交付至您指定的 Amazon S3 儲存貯體。CloudTrail 日誌檔案包含一個或多個日誌項目。事件代表來自任何來源的單一請求，並包含有關請求的動作、動作的日期和時間、請求參數等資訊。CloudTrail 日誌檔不是公有 API 呼叫的排序堆疊追蹤，因此不會以任何特定順序顯示。

下列範例顯示 CreateServer 動作的 CloudTrail 日誌項目。

{

"eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIT4AUHMXGO43AJKU4:user1", "arn": "arn:aws:sts::123456789102:assumed-role/Admin/user1", "accountId": "123456789102", "accessKeyId": "AAAA52C2WWWWWW3BB4Z", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2018-12-18T20:03:57Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROAIT4AUHMXGO43AJKU4", "arn": "arn:aws:iam::123456789102:role/Admin", "accountId": "123456789102", "userName": "Admin" } } }, "eventTime": "2018-12-18T20:30:05Z", "eventSource": "transfer.amazonaws.com", "eventName": "CreateServer", "awsRegion": "us-east-2", "sourceIPAddress": "11.22.1.2", "userAgent": "aws-internal/3 aws-sdk-java/1.11.462 Linux/4.9.124-0.1.ac.198.73.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.192-b12 java/1.8.0_192", "requestParameters": { "loggingRole": "arn:aws:iam::123456789102:role/sftp-role" }, "responseElements": { "serverId": "s-b6118b5f29a04a9e8" }, "requestID": "5f348905-7b83-4527-920f-ec8e6088ffd5", "eventID": "82360721-d3db-4acc-b5dc-14c58c1e9899", "eventType": "AwsApiCall", "recipientAccountId": "123456789102"

},

34

AWS 轉移至 SFTP 使用者指南歡迎

API 參考以下各節記載 AWS SFTP API 服務呼叫、資料類型、參數以及錯誤。如需 API 實體和搭配使用 AWS SFTPAPI 的慣例資訊，請參閱歡迎使用 AWS 轉移至 SFTP API (p. 35)。

主題• 歡迎使用 AWS 轉移至 SFTP API (p. 35)• Actions (p. 36)• Data Types (p. 104)• Common Parameters (p. 122)• Common Errors (p. 124)

歡迎使用 AWS 轉移至 SFTP APIAWS 轉移至 SFTP 是一種全受管服務，可透過安全檔案傳輸通訊協定 (SFTP)，直接將檔案傳入和傳出Amazon Simple Storage Service (Amazon S3)。AWS Transfer 有助您將 SFTP 型檔案傳輸工作流程遷移至AWS，而不會干擾您的外部合作夥伴和客戶。

若要使用 AWS SFTP 服務，請將您所選區域的 SFTP 伺服器執行個體化。您可以建立伺服器、列出可用的伺服器、更新及刪除伺服器。伺服器是一種實體，其會請求 AWS SFTP 服務的檔案操作。伺服器有多項重要屬性。伺服器是具名的執行個體，由系統指派的 ServerId 識別符來識別。您可以選擇將主機名稱，甚至自訂主機名稱指派給伺服器。此服務會針對任何執行個體化的伺服器收費 (即使並非 ONLINE 亦同)，也會針對傳輸的資料量收取費用。

針對請求檔案操作的 SFTP 伺服器，SFTP 使用者必須為已知。使用者會由使用者名稱來識別，並指派給伺服器。使用者名稱可用來驗證請求。伺服器只能使用 SERVICE_MANAGED 或 API_GATEWAY 其中一種身份驗證方法。若是 SERVICE_MANAGED，SSH 公有金鑰會和使用者屬性一起存放在 SFTP 伺服器中。使用者可提供一或多個 SSH 公有金鑰，以用於 SERVICE_MANAGED 身份驗證方法。當 SFTP 用戶端請求SERVICE_MANAGED 方法的檔案操作時，SFTP 用戶端會提供使用者名稱和 SSH 私有金鑰，通過驗證後即可獲得存取權。

您也可以使用自訂的身份驗證方法來驗證使用者請求，以同時提供使用者身份驗證和存取權。此方法仰賴 Amazon API Gateway 使用您身分提供者的 API 呼叫，以驗證使用者請求。此方法在 API 呼叫中稱為API_GATEWAY，在主控台中則稱為「自訂」。您可以使用自訂方法，藉由目錄服務、資料庫名稱/密碼對，或一些其他機制來驗證使用者。

SFTP 使用者可獲得政策指派，以及其本身和 Amazon S3 儲存貯體間的信任關係。他們可以存取部分或所有儲存貯體。若要讓 SFTP 伺服器代使用者進行動作，伺服器必須繼承使用者的信任關聯。請建立包含信任關係的 IAM 角色，並將 AssumeRole 動作指派給該角色。接著，SFTP 伺服器即可代使用者執行檔案操作。如果使用者已設定 home 目錄屬性，即可將該目錄 (或資料夾) 做為 SFTP 檔案操作的目標或來源。如果未設定任何 home 目錄，儲存貯體的 root 目錄就會變成登陸目錄。

伺服器、使用者和角色全都是根據其 Amazon Resource Number 或 ARN 進行識別。您可以指派標籤 (金鑰/值對) 給含有 ARN 的實體，而標籤是可用來分組這些實體或進行搜尋的中繼資料。舉例來說，標籤在會計用途方面就非常有用。

您可在 AWS SFTP ID 格式中觀察到以下慣例：

• ServerId 值採用 s-01234567890abcdef 的形式。• PublicKeyId 值採用 key-12345678 的形式。• UserId 值採用 user-12345678 的形式

35

AWS 轉移至 SFTP 使用者指南Actions

Amazon Resource Number (ARN) 格式採用下列形式：

• 針對伺服器，Amazon Resource Names (ARN) 採用 arn:aws:transfer:region:account-id:server/server-id/ 的形式。

伺服器 ARN 範例為：arn:aws:transfer:us-east-1:123456789012:server/s-01234567890abcdef。

• 針對使用者，ARN 採用 arn:aws:transfer:region:account-id:user/server-id/username的形式。

例如，arn:aws:transfer:us-east-1:123456789012:user/s-01234567890abcdef/user1。

使用中的 DNS 項目 (端點) 為：

• API 端點採用 transfer.region.amazonaws.com 的形式。• 通訊協定端點採用 server.transfer.region.amazonaws.com 的形式• 伺服器端點採用 server.transfer.region.amazonaws.com 的形式。

這個適用於 AWS SFTP 的 API 界面參考包含可讓您用來管理 AWS SFTP 的程式設計界面文件。參考結構如下：

• 如需依字母排序的 API 動作清單，請參閱「API 動作」。• 如需依字母排序的資料類型清單，請參閱「資料類型」。• 如需常用查詢參數的清單，請參閱「常用參數」。• 如需錯誤碼的說明，請參閱「常見錯誤」。

ActionsThe following actions are supported:

• CreateServer (p. 38)• CreateUser (p. 44)• DeleteServer (p. 50)• DeleteSshPublicKey (p. 52)• DeleteUser (p. 55)• DescribeSecurityPolicy (p. 57)• DescribeServer (p. 59)• DescribeUser (p. 62)• ImportSshPublicKey (p. 66)• ListSecurityPolicies (p. 70)• ListServers (p. 72)• ListTagsForResource (p. 75)• ListUsers (p. 78)• StartServer (p. 82)• StopServer (p. 84)• TagResource (p. 86)• TestIdentityProvider (p. 89)• UntagResource (p. 93)• UpdateServer (p. 95)

36

AWS 轉移至 SFTP 使用者指南Actions

• UpdateUser (p. 100)

37

AWS 轉移至 SFTP 使用者指南CreateServer

CreateServerInstantiates an autoscaling virtual server based on the selected file transfer protocol in AWS. When youmake updates to your file transfer protocol-enabled server or when you work with users, use the service-generated ServerId property that is assigned to the newly created server.

Request Syntax

{ "Certificate": "string", "EndpointDetails": { "AddressAllocationIds": [ "string" ], "SubnetIds": [ "string" ], "VpcEndpointId": "string", "VpcId": "string" }, "EndpointType": "string", "HostKey": "string", "IdentityProviderDetails": { "InvocationRole": "string", "Url": "string" }, "IdentityProviderType": "string", "LoggingRole": "string", "Protocols": [ "string" ], "SecurityPolicyName": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

Certificate (p. 38)

The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required whenProtocols is set to FTPS.

To request a new public certificate, see Request a public certificate in the AWS Certificate ManagerUser Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS CertificateManager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Request a privatecertificate in the AWS Certificate Manager User Guide.

Certificates with the following cryptographic algorithms and key sizes are supported:• 2048-bit RSA (RSA_2048)• 4096-bit RSA (RSA_4096)• Elliptic Prime Curve 256 bit (EC_prime256v1)

38

AWS 轉移至 SFTP 使用者指南CreateServer

• Elliptic Prime Curve 384 bit (EC_secp384r1)• Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP addressspecified and information about the issuer.

Type: String

Length Constraints: Maximum length of 1600.

Required: NoEndpointDetails (p. 38)

The virtual private cloud (VPC) endpoint settings that are configured for your file transfer protocol-enabled server. When you host your endpoint within your VPC, you can make it accessible only toresources within your VPC, or you can attach Elastic IPs and make it accessible to clients over theinternet. Your VPC's default security groups are automatically assigned to your endpoint.

Type: EndpointDetails (p. 113) object

Required: NoEndpointType (p. 38)

The type of VPC endpoint that you want your file transfer protocol-enabled server to connect to. Youcan choose to connect to the public internet or a VPC endpoint. With a VPC endpoint, you can restrictaccess to your server and resources only within your VPC.

Note

It is recommended that you use VPC as the EndpointType. With this endpoint type, youhave the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) withyour server's endpoint and use VPC security groups to restrict traffic by the client's public IPaddress. This is not possible with EndpointType set to VPC_ENDPOINT.

Type: String

Valid Values: PUBLIC | VPC | VPC_ENDPOINT

Required: NoHostKey (p. 38)

The RSA private key as generated by the ssh-keygen -N "" -m PEM -f my-new-server-keycommand.

Important

If you aren't planning to migrate existing users from an existing SFTP-enabled server to a newserver, don't update the host key. Accidentally changing a server's host key can be disruptive.

For more information, see Change the host key for your SFTP-enabled server in the AWS TransferFamily User Guide.

Type: String

Length Constraints: Maximum length of 4096.

Required: No

39

AWS 轉移至 SFTP 使用者指南CreateServer

IdentityProviderDetails (p. 38)

Required when IdentityProviderType is set to API_GATEWAY. Accepts an array containing allof the information required to call a customer-supplied authentication API, including the API GatewayURL. Not required when IdentityProviderType is set to SERVICE_MANAGED.

Type: IdentityProviderDetails (p. 116) object

Required: NoIdentityProviderType (p. 38)

Specifies the mode of authentication for a file transfer protocol-enabled server. The default valueis SERVICE_MANAGED, which allows you to store and access user credentials within the AWSTransfer Family service. Use the API_GATEWAY value to integrate with an identity provider of yourchoosing. The API_GATEWAY setting requires you to provide an API Gateway endpoint URL to call forauthentication using the IdentityProviderDetails parameter.

Type: String

Valid Values: SERVICE_MANAGED | API_GATEWAY

Required: NoLoggingRole (p. 38)

Allows the service to write your users' activity to your Amazon CloudWatch logs for monitoring andauditing purposes.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoProtocols (p. 38)

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connectto your server's endpoint. The available protocols are:• SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH• FTPS (File Transfer Protocol Secure): File transfer with TLS encryption• FTP (File Transfer Protocol): Unencrypted file transfer

Note

If you select FTPS, you must choose a certificate stored in AWS Certificate Manager (ACM)which will be used to identify your file transfer protocol-enabled server when clients connect toit over FTPS.If Protocol includes either FTP or FTPS, then the EndpointType must be VPC and theIdentityProviderType must be API_GATEWAY.If Protocol includes FTP, then AddressAllocationIds cannot be associated.If Protocol is set only to SFTP, the EndpointType can be set to PUBLIC and theIdentityProviderType can be set to SERVICE_MANAGED.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 3 items.

Valid Values: SFTP | FTP | FTPS

Required: No

40

AWS 轉移至 SFTP 使用者指南CreateServer

SecurityPolicyName (p. 38)

Specifies the name of the security policy that is attached to the server.

Type: String

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

Required: NoTags (p. 38)

Key-value pairs that can be used to group and search for file transfer protocol-enabled servers.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: No

Response Syntax{ "ServerId": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 41)

The service-assigned ID of the file transfer protocol-enabled server that is created.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500

41

AWS 轉移至 SFTP 使用者指南CreateServer

InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceExistsException

The requested resource does not exist.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExampleThe following example creates a new file transfer protocol-enabled server using a VPC_ENDPOINT.

Sample Request

{ "EndpointDetails": { "AddressAllocationIds": [ "eipalloc-01a2eabe3c04d5678", "eipalloc-102345be" ], "SubnetIds": [ "subnet-045eaa6f0789a7cde", "subnet-0a1d0f222daffde11" ], "EndpointType": "VPC_ENDPOINT", "HostKey": "Your RSA private key", "IdentityProviderDetails": "IdentityProvider", "IdentityProviderType": "SERVICE_MANAGED", "LoggingRole": "CloudWatchLoggingRole", "Tags": [ { "Key": "Name", "Value": "MySFTPServer" } ]}

Example

Sample Response

42

AWS 轉移至 SFTP 使用者指南CreateServer

{ "ServerId": "s-01234567890abcdef"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

43

AWS 轉移至 SFTP 使用者指南CreateUser

CreateUserCreates a user and associates them with an existing file transfer protocol-enabled server. Youcan only create and associate users with servers that have the IdentityProviderType set toSERVICE_MANAGED. Using parameters for CreateUser, you can specify the user name, set the homedirectory, store the user's public key, and assign the user's AWS Identity and Access Management (IAM)role. You can also optionally add a scope-down policy, and assign metadata with tags that can be used togroup and search for users.

Request Syntax

{ "HomeDirectory": "string", "HomeDirectoryMappings": [ { "Entry": "string", "Target": "string" } ], "HomeDirectoryType": "string", "Policy": "string", "Role": "string", "ServerId": "string", "SshPublicKeyBody": "string", "Tags": [ { "Key": "string", "Value": "string" } ], "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

HomeDirectory (p. 44)

The landing directory (folder) for a user when they log in to the file transfer protocol-enabled serverusing the client.

An example is your-Amazon-S3-bucket-name>/home/username .

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^$|/.*

Required: NoHomeDirectoryMappings (p. 44)

Logical directory mappings that specify what Amazon S3 paths and keys should be visible to youruser and how you want to make them visible. You will need to specify the "Entry" and "Target"pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 path. If

44

AWS 轉移至 SFTP 使用者指南CreateUser

you only specify a target, it will be displayed as is. You will need to also make sure that your IAM roleprovides access to paths in Target. The following is an example.

'[ "/bucket2/documentation", { "Entry": "your-personal-report.pdf","Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ]'

In most cases, you can use this value instead of the scope-down policy to lock your user down tothe designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to theHomeDirectory parameter value.

Note

If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored.As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holdersfor your directory. If using the CLI, use the s3api call instead of s3 so you can use the put-object operation. For example, you use the following: aws s3api put-object --bucketbucketname --key path/to/folder/. Make sure that the end of the key name ends in a'/' for it to be considered a folder.

Type: Array of HomeDirectoryMapEntry (p. 115) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoHomeDirectoryType (p. 44)

The type of landing directory (folder) you want your users' home directory to be when they log into thefile transfer protocol-enabled server. If you set it to PATH, the user will see the absolute Amazon S3bucket paths as is in their file transfer protocol clients. If you set it LOGICAL, you will need to providemappings in the HomeDirectoryMappings for how you want to make Amazon S3 paths visible toyour users.

Type: String

Valid Values: PATH | LOGICAL

Required: NoPolicy (p. 44)

A scope-down policy for your user so you can use the same IAM role across multiple users. Thispolicy scopes down user access to portions of their Amazon S3 bucket. Variables that you canuse inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and${Transfer:HomeBucket}.

Note

For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead ofthe Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob andpass it in the Policy argument.For an example of a scope-down policy, see Creating a scope-down policy.For more information, see AssumeRole in the AWS Security Token Service API Reference.

Type: String

Length Constraints: Maximum length of 2048.

Required: NoRole (p. 44)

The IAM role that controls your users' access to your Amazon S3 bucket. The policies attached to thisrole will determine the level of access you want to provide your users when transferring files into and

45

AWS 轉移至 SFTP 使用者指南CreateUser

out of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship thatallows the file transfer protocol-enabled server to access your resources when servicing your users'transfer requests.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: YesServerId (p. 44)

A system-assigned unique identifier for a file transfer protocol-enabled server instance. This is thespecific server that you added your user to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesSshPublicKeyBody (p. 44)

The public portion of the Secure Shell (SSH) key used to authenticate the user to the file transferprotocol-enabled server.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^ssh-rsa\s+[A-Za-z0-9+/]+[=]{0,3}(\s+.+)?\s*$

Required: NoTags (p. 44)

Key-value pairs that can be used to group and search for users. Tags are metadata attached to usersfor any purpose.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoUserName (p. 44)

A unique string that identifies a user and is associated with a file transfer protocol-enabled serveras specified by the ServerId. This user name must be a minimum of 3 and a maximum of 100characters long. The following are valid characters: a-z, A-Z, 0-9, underscore '_', hyphen '-', period '.',and at sign '@'. The user name can't start with a hyphen, period, and at sign.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

46

AWS 轉移至 SFTP 使用者指南CreateUser

Response Syntax

{ "ServerId": "string", "UserName": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 47)

The ID of the file transfer protocol-enabled server that the user is attached to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$UserName (p. 47)

A unique string that identifies a user account associated with a file transfer protocol-enabled server.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceExistsException

The requested resource does not exist.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400

47

AWS 轉移至 SFTP 使用者指南CreateUser

ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExampleThe following example associates a user with a file transfer protocol-enabled server.

Sample Request

{ "HomeDirectory": "/bucket_name/home/mydirectory", "HomeDirectoryMappings": [ { "Entry": "your-personal-report.pdf", "Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ], "HomeDirectoryType:"PATH", "Policy": { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowFullAccessToBucket", "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*" ] } ] }, "SshPublicKeyBody": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCOtfCAis3aHfM6yc8KWAlMQxVDBHyccCde9MdLf4DQNXn8HjAHf+Bc1vGGCAREFUL1NO2PEEKING3ALLOWEDfIf+JBecywfO35Cm6IKIV0JF2YOPXvOuQRs80hQaBUvQL9xw6VEb4xzbit2QB6", "Role": "arn:aws:iam::176354371281:role/SFTP_role", "ServerId": "s-01234567890abcdef", "Tags": [ { "Key": "Group", "Value": "UserGroup1" } ], "UserName": "sftp_user"}

Example

Sample Response

{ "ServerId": "s-01234567890abcdef"

48

AWS 轉移至 SFTP 使用者指南CreateUser

"UserName": "sftp_user"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

49

AWS 轉移至 SFTP 使用者指南DeleteServer

DeleteServerDeletes the file transfer protocol-enabled server that you specify.

No response returns from this operation.

Request Syntax{ "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 50)

A unique system-assigned identifier for a file transfer protocol-enabled server instance.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

50

AWS 轉移至 SFTP 使用者指南DeleteServer

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The following example deletes a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef"}

Example

Sample Response

{}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

51

AWS 轉移至 SFTP 使用者指南DeleteSshPublicKey

DeleteSshPublicKeyDeletes a user's Secure Shell (SSH) public key.

No response is returned from this operation.

Request Syntax{ "ServerId": "string", "SshPublicKeyId": "string", "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 52)

A system-assigned unique identifier for a file transfer protocol-enabled server instance that has theuser assigned to it.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesSshPublicKeyId (p. 52)

A unique identifier used to reference your user's specific SSH key.

Type: String

Length Constraints: Fixed length of 21.

Pattern: ^key-[0-9a-f]{17}$

Required: YesUserName (p. 52)

A unique string that identifies a user whose public key is being deleted.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

52

AWS 轉移至 SFTP 使用者指南DeleteSshPublicKey

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

Example

The following example deletes a user's SSH public key.

Sample Request

{ "ServerId": "s-01234567890abcdef" "SshPublicKeyId": "MyPublicKey" "UserName": "sftp_user"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript

53

AWS 轉移至 SFTP 使用者指南DeleteSshPublicKey

• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

54

AWS 轉移至 SFTP 使用者指南DeleteUser

DeleteUserDeletes the user belonging to a file transfer protocol-enabled server you specify.

No response returns from this operation.Note

When you delete a user from a server, the user's information is lost.

Request Syntax{ "ServerId": "string", "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 55)

A system-assigned unique identifier for a file transfer protocol-enabled server instance that has theuser assigned to it.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesUserName (p. 55)

A unique string that identifies a user that is being deleted from a file transfer protocol-enabled server.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

55

AWS 轉移至 SFTP 使用者指南DeleteUser

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

Example

The following example deletes a user account assigned to a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef" "UserNames": "sftp_user"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

56

AWS 轉移至 SFTP 使用者指南DescribeSecurityPolicy

DescribeSecurityPolicyDescribes the security policy that is attached to your file transfer protocol-enabled server. The responsecontains a description of the security policy's properties. For more information about security policies, seeWorking with security policies.

Request Syntax

{ "SecurityPolicyName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

SecurityPolicyName (p. 57)

Specifies the name of the security policy that is attached to the server.

Type: String

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

Required: Yes

Response Syntax

{ "SecurityPolicy": { "Fips": boolean, "SecurityPolicyName": "string", "SshCiphers": [ "string" ], "SshKexs": [ "string" ], "SshMacs": [ "string" ], "TlsCiphers": [ "string" ] }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

SecurityPolicy (p. 57)

An array containing the properties of the security policy.

Type: DescribedSecurityPolicy (p. 105) object

57

AWS 轉移至 SFTP 使用者指南DescribeSecurityPolicy

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

58

AWS 轉移至 SFTP 使用者指南DescribeServer

DescribeServerDescribes a file transfer protocol-enabled server that you specify by passing the ServerId parameter.

The response contains a description of a server's properties. When you set EndpointType to VPC, theresponse will contain the EndpointDetails.

Request Syntax

{ "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 59)

A system-assigned unique identifier for a file transfer protocol-enabled server.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response Syntax

{ "Server": { "Arn": "string", "Certificate": "string", "EndpointDetails": { "AddressAllocationIds": [ "string" ], "SubnetIds": [ "string" ], "VpcEndpointId": "string", "VpcId": "string" }, "EndpointType": "string", "HostKeyFingerprint": "string", "IdentityProviderDetails": { "InvocationRole": "string", "Url": "string" }, "IdentityProviderType": "string", "LoggingRole": "string", "Protocols": [ "string" ], "SecurityPolicyName": "string", "ServerId": "string", "State": "string", "Tags": [ { "Key": "string",

59

AWS 轉移至 SFTP 使用者指南DescribeServer

"Value": "string" } ], "UserCount": number }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Server (p. 59)

An array containing the properties of a file transfer protocol-enabled server with the ServerID youspecified.

Type: DescribedServer (p. 107) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The following example returns the properties assigned to a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef"

60

AWS 轉移至 SFTP 使用者指南DescribeServer

}

Example

Sample Response

{ "Server": { "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef", "EndpointDetails": { "AddressAllocationIds": [ "eipalloc-01a2eabe3c04d5678", "eipalloc-102345be" ], "SubnetIds": [ "subnet-047eaa7f0187a7cde", "subnet-0a2d0f474daffde18" ], "VpcEndpointId": "vpce-03fe0080e7cb008b8", "VpcId": "vpc-09047a51f1c8e1634" }, "EndpointType": "VPC", "HostKeyFingerprint": "your host key, "IdentityProviderType": "SERVICE_MANAGED", "ServerId": "s-01234567890abcdef", "State": "ONLINE", "Tags": [], "UserCount": 0 }}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

61

AWS 轉移至 SFTP 使用者指南DescribeUser

DescribeUserDescribes the user assigned to the specific file transfer protocol-enabled server, as identified by itsServerId property.

The response from this call returns the properties of the user associated with the ServerId value that wasspecified.

Request Syntax{ "ServerId": "string", "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 62)

A system-assigned unique identifier for a file transfer protocol-enabled server that has this userassigned.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesUserName (p. 62)

The name of the user assigned to one or more file transfer protocol-enabled servers. User names arepart of the sign-in credentials to use the AWS Transfer Family service and perform file transfer tasks.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

Response Syntax{ "ServerId": "string", "User": { "Arn": "string", "HomeDirectory": "string", "HomeDirectoryMappings": [ { "Entry": "string", "Target": "string" }

62

AWS 轉移至 SFTP 使用者指南DescribeUser

], "HomeDirectoryType": "string", "Policy": "string", "Role": "string", "SshPublicKeys": [ { "DateImported": number, "SshPublicKeyBody": "string", "SshPublicKeyId": "string" } ], "Tags": [ { "Key": "string", "Value": "string" } ], "UserName": "string" }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 62)

A system-assigned unique identifier for a file transfer protocol-enabled server that has this userassigned.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$User (p. 62)

An array containing the properties of the user account for the ServerID value that you specified.

Type: DescribedUser (p. 110) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

63

AWS 轉移至 SFTP 使用者指南DescribeUser

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The following example returns the properties assigned to a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef" "UserName": "sftp_user"}

Example

Sample Response

{ "User": { "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef" "HomeDirectory": "/home/mydirectory", "HomeDirectoryType:" "PATH", "Role": "arn:aws:iam::176354371281:role/SFTP_role", "SshPublicKeys": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCOtfCAis3aHfM6yc8KWAlMQxVDBHyccCde9MdLf4DQNXn8HjAHf+Bc1vGGCAREFUL1NO2PEEKING3ALLOWEDfIf+JBecywfO35Cm6IKIV0JF2YOPXvOuQRs80hQaBUvQL9xw6VEb4xzbit2QB6", "Tags": [ { "Key": "Name", "Value": "MySFTPServer" } "UserName": "sftp_user", ] }}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript

64

AWS 轉移至 SFTP 使用者指南DescribeUser

• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

65

AWS 轉移至 SFTP 使用者指南ImportSshPublicKey

ImportSshPublicKeyAdds a Secure Shell (SSH) public key to a user account identified by a UserName value assigned to thespecific file transfer protocol-enabled server, identified by ServerId.

The response returns the UserName value, the ServerId value, and the name of the SshPublicKeyId.

Request Syntax{ "ServerId": "string", "SshPublicKeyBody": "string", "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 66)

A system-assigned unique identifier for a file transfer protocol-enabled server.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesSshPublicKeyBody (p. 66)

The public key portion of an SSH key pair.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^ssh-rsa\s+[A-Za-z0-9+/]+[=]{0,3}(\s+.+)?\s*$

Required: YesUserName (p. 66)

The name of the user account that is assigned to one or more file transfer protocol-enabled servers.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

Response Syntax{

66

AWS 轉移至 SFTP 使用者指南ImportSshPublicKey

"ServerId": "string", "SshPublicKeyId": "string", "UserName": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 66)

A system-assigned unique identifier for a file transfer protocol-enabled server.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$SshPublicKeyId (p. 66)

The name given to a public key by the system that was imported.

Type: String

Length Constraints: Fixed length of 21.

Pattern: ^key-[0-9a-f]{17}$UserName (p. 66)

A user name assigned to the ServerID value that you specified.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceExistsException

The requested resource does not exist.

HTTP Status Code: 400

67

AWS 轉移至 SFTP 使用者指南ImportSshPublicKey

ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExample

The following example returns the properties assigned to a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef" "SshPublicKeyBody": "AAAAB3NzaC1yc2EAAAADAQABAAABAQCOtfCAis3aHfM6yc8KWAlMQxVDBHyccCde9MdLf4DQNXn8HjAHf+Bc1vGGCAREFUL1NO2PEEKING3ALLOWEDfIf+JBecywfO35Cm6IKIV0JF2YOPXvOuQRs80hQaBUvQL9xw6VEb4xzbit2QB6", "UserName": "sftp_user"}

Example

Sample Response

{ "User": { "ServerId": "s-01234567890abcdef", "SshPublicKeyId": "MySSHPublicKey" "UserName": "sftp_user", }}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++

68

AWS 轉移至 SFTP 使用者指南ImportSshPublicKey

• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

69

AWS 轉移至 SFTP 使用者指南ListSecurityPolicies

ListSecurityPoliciesLists the security policies that are attached to your file transfer protocol-enabled servers.

Request Syntax{ "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

MaxResults (p. 70)

Specifies the number of security policies to return as a response to the ListSecurityPoliciesquery.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: NoNextToken (p. 70)

When additional results are obtained from the ListSecurityPolicies command, a NextTokenparameter is returned in the output. You can then pass the NextToken parameter in a subsequentcommand to continue listing additional security policies.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: No

Response Syntax{ "NextToken": "string", "SecurityPolicyNames": [ "string" ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 70)

When you can get additional results from the ListSecurityPolicies operation, a NextTokenparameter is returned in the output. In a following command, you can pass in the NextTokenparameter to continue listing security policies.

70

AWS 轉移至 SFTP 使用者指南ListSecurityPolicies

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.SecurityPolicyNames (p. 70)

An array of security policies that were listed.

Type: Array of strings

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidNextTokenException

The NextToken parameter that was passed is invalid.

HTTP Status Code: 400InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

71

AWS 轉移至 SFTP 使用者指南ListServers

ListServersLists the file transfer protocol-enabled servers that are associated with your AWS account.

Request Syntax

{ "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

MaxResults (p. 72)

Specifies the number of file transfer protocol-enabled servers to return as a response to theListServers query.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: NoNextToken (p. 72)

When additional results are obtained from the ListServers command, a NextToken parameter isreturned in the output. You can then pass the NextToken parameter in a subsequent command tocontinue listing additional file transfer protocol-enabled servers.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: No

Response Syntax

{ "NextToken": "string", "Servers": [ { "Arn": "string", "EndpointType": "string", "IdentityProviderType": "string", "LoggingRole": "string", "ServerId": "string", "State": "string", "UserCount": number } ]}

72

AWS 轉移至 SFTP 使用者指南ListServers

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 72)

When you can get additional results from the ListServers operation, a NextToken parameter isreturned in the output. In a following command, you can pass in the NextToken parameter to continuelisting additional file transfer protocol-enabled servers.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.Servers (p. 72)

An array of file transfer protocol-enabled servers that were listed.

Type: Array of ListedServer (p. 117) objects

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidNextTokenException

The NextToken parameter that was passed is invalid.

HTTP Status Code: 400InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The following example lists the file transfer protocol-enabled servers that exist in your AWS account.

Sample Request

{

73

AWS 轉移至 SFTP 使用者指南ListServers

"MaxResults": 100, "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b1X0cnVuU2F0ZV9hbW91bnQiOiAyfQ=="}

Example

Sample Response

{ "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b1X0cnVuU2F0ZV9hbW91bnQiOiAyfQ==", "Servers": [ { "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef", "LoggingRole": "CloudWatchLoggingRole", "ServerId": "s-01234567890abcdef", "State": "ONLINE", "Tags": [ { "Key": "Name", "Value": "MySFTPServer" } ] } ]}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

74

AWS 轉移至 SFTP 使用者指南ListTagsForResource

ListTagsForResourceLists all of the tags associated with the Amazon Resource Number (ARN) you specify. The resource can bea user, server, or role.

Request Syntax{ "Arn": "string", "MaxResults": number, "NextToken": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

Arn (p. 75)

Requests the tags associated with a particular Amazon Resource Name (ARN). An ARN is an identifierfor a specific AWS resource, such as a server, user, or role.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesMaxResults (p. 75)

Specifies the number of tags to return as a response to the ListTagsForResource request.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: NoNextToken (p. 75)

When you request additional results from the ListTagsForResource operation, a NextTokenparameter is returned in the input. You can then pass in a subsequent command to the NextTokenparameter to continue listing additional tags.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: No

Response Syntax{ "Arn": "string",

75

AWS 轉移至 SFTP 使用者指南ListTagsForResource

"NextToken": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Arn (p. 75)

The ARN you specified to list the tags of.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*NextToken (p. 75)

When you can get additional results from the ListTagsForResource call, a NextToken parameteris returned in the output. You can then pass in a subsequent command to the NextToken parameterto continue listing additional tags.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.Tags (p. 75)

Key-value pairs that are assigned to a resource, usually for the purpose of grouping and searching foritems. Tags are metadata that you define.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidNextTokenException

The NextToken parameter that was passed is invalid.

HTTP Status Code: 400InvalidRequestException

This exception is thrown when the client submits a malformed request.

76

AWS 轉移至 SFTP 使用者指南ListTagsForResource

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The following example lists the tags for the resource with the ARN you specified.

Sample Request

{ "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef"}

Example

Sample Response

{ "Tags": [ { "Key": "Name", "Value": "MySFTPServer" } ]}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

77

AWS 轉移至 SFTP 使用者指南ListUsers

ListUsersLists the users for a file transfer protocol-enabled server that you specify by passing the ServerIdparameter.

Request Syntax{ "MaxResults": number, "NextToken": "string", "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

MaxResults (p. 78)

Specifies the number of users to return as a response to the ListUsers request.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: NoNextToken (p. 78)

When you can get additional results from the ListUsers call, a NextToken parameter is returnedin the output. You can then pass in a subsequent command to the NextToken parameter to continuelisting additional users.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: NoServerId (p. 78)

A system-assigned unique identifier for a file transfer protocol-enabled server that has users assignedto it.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response Syntax{ "NextToken": "string", "ServerId": "string",

78

AWS 轉移至 SFTP 使用者指南ListUsers

"Users": [ { "Arn": "string", "HomeDirectory": "string", "HomeDirectoryType": "string", "Role": "string", "SshPublicKeyCount": number, "UserName": "string" } ]}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextToken (p. 78)

When you can get additional results from the ListUsers call, a NextToken parameter is returnedin the output. You can then pass in a subsequent command to the NextToken parameter to continuelisting additional users.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 6144.ServerId (p. 78)

A system-assigned unique identifier for a file transfer protocol-enabled server that the users areassigned to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$Users (p. 78)

Returns the user accounts and their properties for the ServerId value that you specify.

Type: Array of ListedUser (p. 119) objects

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidNextTokenException

The NextToken parameter that was passed is invalid.

HTTP Status Code: 400InvalidRequestException

This exception is thrown when the client submits a malformed request.

79

AWS 轉移至 SFTP 使用者指南ListUsers

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExample

The ListUsers API call returns a list of users associated with a file transfer protocol-enabled server youspecify.

Sample Request

{ "MaxResults": 100, "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b1X0cnVuU2F0ZV9hbW91bnQiOiAyfQ==", "ServerId": "s-01234567890abcdef" }

Example

Sample Response

{ "NextToken": "eyJNYXJrZXIiOiBudWxsLCAiYm90b1X0cnVuU2F0ZV9hbW91bnQiOiAyfQ=="", "ServerId": "s-01234567890abcdef", "Users": [ { "Arn": "arn:aws:transfer:us-east-1:176354371281:user/s-01234567890abcdef/charlie", "HomeDirectory": "/sftp-tests/home/charlie", "SshPublicKeyCount": 1, "Role": "arn:aws:iam::176354371281:role/transfer-role1", "Tags": [ { "Key": "Name", "Value": "user1" } ], "UserName": "sftp_user" } ]}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

80

AWS 轉移至 SFTP 使用者指南ListUsers

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

81

AWS 轉移至 SFTP 使用者指南StartServer

StartServerChanges the state of a file transfer protocol-enabled server from OFFLINE to ONLINE. It has no impact on aserver that is already ONLINE. An ONLINE server can accept and process file transfer jobs.

The state of STARTING indicates that the server is in an intermediate state, either not fully able to respond,or not fully online. The values of START_FAILED can indicate an error condition.

No response is returned from this call.

Request Syntax

{ "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 82)

A system-assigned unique identifier for a file transfer protocol-enabled server that you start.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

82

AWS 轉移至 SFTP 使用者指南StartServer

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExample

The following example starts a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef"}

Example

Sample Response

{ "ServerId": "s-01234567890abcdef"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

83

AWS 轉移至 SFTP 使用者指南StopServer

StopServerChanges the state of a file transfer protocol-enabled server from ONLINE to OFFLINE. An OFFLINE servercannot accept and process file transfer jobs. Information tied to your server, such as server and userproperties, are not affected by stopping your server. Stopping the server will not reduce or impact your filetransfer protocol endpoint billing.

The state of STOPPING indicates that the server is in an intermediate state, either not fully able to respond,or not fully offline. The values of STOP_FAILED can indicate an error condition.

No response is returned from this call.

Request Syntax{ "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 84)

A system-assigned unique identifier for a file transfer protocol-enabled server that you stopped.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

84

AWS 轉移至 SFTP 使用者指南StopServer

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExample

The following example stops a file transfer protocol-enabled server.

Sample Request

{ "ServerId": "s-01234567890abcdef"}

Example

Sample Response

{ "ServerId": "s-01234567890abcdef"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

85

AWS 轉移至 SFTP 使用者指南TagResource

TagResourceAttaches a key-value pair to a resource, as identified by its Amazon Resource Name (ARN). Resources areusers, servers, roles, and other entities.

There is no response returned from this call.

Request Syntax{ "Arn": "string", "Tags": [ { "Key": "string", "Value": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

Arn (p. 86)

An Amazon Resource Name (ARN) for a specific AWS resource, such as a server, user, or role.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesTags (p. 86)

Key-value pairs assigned to ARNs that you can use to group and search for resources by type. Youcan attach this metadata to user accounts for any purpose.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

86

AWS 轉移至 SFTP 使用者指南TagResource

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExampleThe following example adds a tag to a file transfer protocol-enabled server.

Sample Request

{ "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef", "Tags": [ { "Key": "Group", "Value": "Europe" } ]}

Example

Sample Response

HTTP 200 response with an empty HTTP body.

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3

87

AWS 轉移至 SFTP 使用者指南TagResource

• AWS SDK for Python• AWS SDK for Ruby V3

88

AWS 轉移至 SFTP 使用者指南TestIdentityProvider

TestIdentityProviderIf the IdentityProviderType of a file transfer protocol-enabled server is API_Gateway, tests whetheryour API Gateway is set up successfully. We highly recommend that you call this operation to test yourauthentication method as soon as you create your server. By doing so, you can troubleshoot issues with theAPI Gateway integration to ensure that your users can successfully use the service.

Request Syntax

{ "ServerId": "string", "ServerProtocol": "string", "SourceIp": "string", "UserName": "string", "UserPassword": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

ServerId (p. 89)

A system-assigned identifier for a specific file transfer protocol-enabled server. That server's userauthentication method is tested with a user name and password.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesServerProtocol (p. 89)

The type of file transfer protocol to be tested.

The available protocols are:• Secure Shell (SSH) File Transfer Protocol (SFTP)• File Transfer Protocol Secure (FTPS)• File Transfer Protocol (FTP)

Type: String

Valid Values: SFTP | FTP | FTPS

Required: NoSourceIp (p. 89)

The source IP address of the user account to be tested.

Type: String

Length Constraints: Maximum length of 32.

89

AWS 轉移至 SFTP 使用者指南TestIdentityProvider

Pattern: ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$

Required: NoUserName (p. 89)

The name of the user account to be tested.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: YesUserPassword (p. 89)

The password of the user account to be tested.

Type: String

Length Constraints: Maximum length of 2048.

Required: No

Response Syntax

{ "Message": "string", "Response": "string", "StatusCode": number, "Url": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Message (p. 90)

A message that indicates whether the test was successful or not.

Type: StringResponse (p. 90)

The response that is returned from your API Gateway.

Type: StringStatusCode (p. 90)

The HTTP status code that is the response from your API Gateway.

Type: IntegerUrl (p. 90)

The endpoint of the service used to authenticate a user.

90

AWS 轉移至 SFTP 使用者指南TestIdentityProvider

Type: String

Length Constraints: Maximum length of 255.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExampleThe following request returns a message from an identity provider that a user name and password is a valididentity to use with the AWS Transfer Family service.

Sample Request

{ "ServerID": "s-01234567890abcdef", "UserName": "sftp_user" "UserPassword": "MyPassword-1"}

Example

Sample Response

"Message": "", "StatusCode": "200" "Response": ""{\"Role\": \"arn:aws:iam::123456789012:role/SFTP_role\",\"HomeDirectory\": \"/bucket_name/home/mydirectory\",\"PublicKeys\": \"[ssh-rsa-key]\"}"" "Url": "myauthenticationserver.com",

91

AWS 轉移至 SFTP 使用者指南TestIdentityProvider

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

92

AWS 轉移至 SFTP 使用者指南UntagResource

UntagResourceDetaches a key-value pair from a resource, as identified by its Amazon Resource Name (ARN). Resourcesare users, servers, roles, and other entities.

No response is returned from this call.

Request Syntax{ "Arn": "string", "TagKeys": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

Arn (p. 93)

The value of the resource that will have the tag removed. An Amazon Resource Name (ARN) is anidentifier for a specific AWS resource, such as a server, user, or role.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesTagKeys (p. 93)

TagKeys are key-value pairs assigned to ARNs that can be used to group and search for resources bytype. This metadata can be attached to resources for any purpose.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Length Constraints: Maximum length of 128.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

93

AWS 轉移至 SFTP 使用者指南UntagResource

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500

ExamplesExampleThe following example removes a tag of a file transfer protocol-enabled server.

Sample Request

{ "Arn": "arn:aws:transfer:us-east-1:176354371281:server/s-01234567890abcdef", "TagKeys": "Europe" ]}

Example

Sample Response

HTTP 200 response with an empty HTTP body.

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

94

AWS 轉移至 SFTP 使用者指南UpdateServer

UpdateServerUpdates the file transfer protocol-enabled server's properties after that server has been created.

The UpdateServer call returns the ServerId of the server you updated.

Request Syntax{ "Certificate": "string", "EndpointDetails": { "AddressAllocationIds": [ "string" ], "SubnetIds": [ "string" ], "VpcEndpointId": "string", "VpcId": "string" }, "EndpointType": "string", "HostKey": "string", "IdentityProviderDetails": { "InvocationRole": "string", "Url": "string" }, "LoggingRole": "string", "Protocols": [ "string" ], "SecurityPolicyName": "string", "ServerId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

Certificate (p. 95)

The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. Required whenProtocols is set to FTPS.

To request a new public certificate, see Request a public certificate in the AWS Certificate ManagerUser Guide.

To import an existing certificate into ACM, see Importing certificates into ACM in the AWS CertificateManager User Guide.

To request a private certificate to use FTPS through private IP addresses, see Request a privatecertificate in the AWS Certificate Manager User Guide.

Certificates with the following cryptographic algorithms and key sizes are supported:• 2048-bit RSA (RSA_2048)• 4096-bit RSA (RSA_4096)• Elliptic Prime Curve 256 bit (EC_prime256v1)• Elliptic Prime Curve 384 bit (EC_secp384r1)• Elliptic Prime Curve 521 bit (EC_secp521r1)

Note

The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP addressspecified and information about the issuer.

95

AWS 轉移至 SFTP 使用者指南UpdateServer

Type: String

Length Constraints: Maximum length of 1600.

Required: NoEndpointDetails (p. 95)

The virtual private cloud (VPC) endpoint settings that are configured for your file transfer protocol-enabled server. With a VPC endpoint, you can restrict access to your server to resources only withinyour VPC. To control incoming internet traffic, you will need to associate one or more Elastic IPaddresses with your server's endpoint.

Type: EndpointDetails (p. 113) object

Required: NoEndpointType (p. 95)

The type of endpoint that you want your file transfer protocol-enabled server to connect to. You canchoose to connect to the public internet or a VPC endpoint. With a VPC endpoint, you can restrictaccess to your server and resources only within your VPC.

Note

It is recommended that you use VPC as the EndpointType. With this endpoint type, youhave the option to directly associate up to three Elastic IPv4 addresses (BYO IP included) withyour server's endpoint and use VPC security groups to restrict traffic by the client's public IPaddress. This is not possible with EndpointType set to VPC_ENDPOINT.

Type: String

Valid Values: PUBLIC | VPC | VPC_ENDPOINT

Required: NoHostKey (p. 95)

The RSA private key as generated by ssh-keygen -N "" -m PEM -f my-new-server-key.Important

If you aren't planning to migrate existing users from an existing file transfer protocol-enabledserver to a new server, don't update the host key. Accidentally changing a server's host keycan be disruptive.

For more information, see Change the host key for your SFTP-enabled server in the AWS TransferFamily User Guide.

Type: String

Length Constraints: Maximum length of 4096.

Required: NoIdentityProviderDetails (p. 95)

An array containing all of the information required to call a customer's authentication API method.

Type: IdentityProviderDetails (p. 116) object

Required: NoLoggingRole (p. 95)

Changes the AWS Identity and Access Management (IAM) role that allows Amazon S3 events to belogged in Amazon CloudWatch, turning logging on or off.

96

AWS 轉移至 SFTP 使用者指南UpdateServer

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^$|arn:.*role/.*

Required: NoProtocols (p. 95)

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connectto your server's endpoint. The available protocols are:• Secure Shell (SSH) File Transfer Protocol (SFTP): File transfer over SSH• File Transfer Protocol Secure (FTPS): File transfer with TLS encryption• File Transfer Protocol (FTP): Unencrypted file transfer

Note

If you select FTPS, you must choose a certificate stored in AWS Certificate Manager (ACM)which will be used to identify your server when clients connect to it over FTPS.If Protocol includes either FTP or FTPS, then the EndpointType must be VPC and theIdentityProviderType must be API_GATEWAY.If Protocol includes FTP, then AddressAllocationIds cannot be associated.If Protocol is set only to SFTP, the EndpointType can be set to PUBLIC and theIdentityProviderType can be set to SERVICE_MANAGED.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 3 items.

Valid Values: SFTP | FTP | FTPS

Required: NoSecurityPolicyName (p. 95)

Specifies the name of the security policy that is attached to the server.

Type: String

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

Required: NoServerId (p. 95)

A system-assigned unique identifier for a file transfer protocol-enabled server instance that the useraccount is assigned to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: Yes

Response Syntax{

97

AWS 轉移至 SFTP 使用者指南UpdateServer

"ServerId": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 97)

A system-assigned unique identifier for a file transfer protocol-enabled server that the user account isassigned to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400ConflictException

This exception is thrown when the UpdatServer is called for a file transfer protocol-enabled serverthat has VPC as the endpoint type and the server's VpcEndpointID is not in the available state.

HTTP Status Code: 400InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceExistsException

The requested resource does not exist.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

98

AWS 轉移至 SFTP 使用者指南UpdateServer

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExample

The following example updates the role of a file transfer protocol-enabled server.

Sample Request

{ "EndpointDetails": { "VpcEndpointId": ""vpce-01234f056f3g13"" "LoggingRole": "CloudWatchS3Events", "ServerId": "s-01234567890abcdef"}

Example

Sample Response

{ "ServerId": "s-01234567890abcdef"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

99

AWS 轉移至 SFTP 使用者指南UpdateUser

UpdateUserAssigns new properties to a user. Parameters you pass modify any or all of the following: the homedirectory, role, and policy for the UserName and ServerId you specify.

The response returns the ServerId and the UserName for the updated user.

Request Syntax

{ "HomeDirectory": "string", "HomeDirectoryMappings": [ { "Entry": "string", "Target": "string" } ], "HomeDirectoryType": "string", "Policy": "string", "Role": "string", "ServerId": "string", "UserName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see Common Parameters (p. 122).

The request accepts the following data in JSON format.

HomeDirectory (p. 100)

Specifies the landing directory (folder) for a user when they log in to the file transfer protocol-enabledserver using their file transfer protocol client.

An example is your-Amazon-S3-bucket-name>/home/username.

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^$|/.*

Required: NoHomeDirectoryMappings (p. 100)

Logical directory mappings that specify what Amazon S3 paths and keys should be visible to youruser and how you want to make them visible. You will need to specify the "Entry" and "Target"pair, where Entry shows how the path is made visible and Target is the actual Amazon S3 path. Ifyou only specify a target, it will be displayed as is. You will need to also make sure that your IAM roleprovides access to paths in Target. The following is an example.

'[ "/bucket2/documentation", { "Entry": "your-personal-report.pdf","Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ]'

In most cases, you can use this value instead of the scope-down policy to lock your user down tothe designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to theHomeDirectory parameter value.

100

AWS 轉移至 SFTP 使用者指南UpdateUser

Note

If the target of a logical directory entry does not exist in Amazon S3, the entry will be ignored.As a workaround, you can use the Amazon S3 API to create 0 byte objects as place holdersfor your directory. If using the CLI, use the s3api call instead of s3 so you can use the put-object operation. For example, you use the following: aws s3api put-object --bucketbucketname --key path/to/folder/. Make sure that the end of the key name ends ina / for it to be considered a folder.

Type: Array of HomeDirectoryMapEntry (p. 115) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoHomeDirectoryType (p. 100)

The type of landing directory (folder) you want your users' home directory to be when they log into thefile transfer protocol-enabled server. If you set it to PATH, the user will see the absolute Amazon S3bucket paths as is in their file transfer protocol clients. If you set it LOGICAL, you will need to providemappings in the HomeDirectoryMappings for how you want to make Amazon S3 paths visible toyour users.

Type: String

Valid Values: PATH | LOGICAL

Required: NoPolicy (p. 100)

Allows you to supply a scope-down policy for your user so you can use the same IAM role acrossmultiple users. The policy scopes down user access to portions of your Amazon S3 bucket. Variablesyou can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory},and ${Transfer:HomeBucket}.

Note

For scope-down policies, AWS Transfer Family stores the policy as a JSON blob, instead ofthe Amazon Resource Name (ARN) of the policy. You save the policy as a JSON blob andpass it in the Policy argument.For an example of a scope-down policy, see Creating a scope-down policy.For more information, see AssumeRole in the AWS Security Token Service API Reference.

Type: String

Length Constraints: Maximum length of 2048.

Required: NoRole (p. 100)

The IAM role that controls your users' access to your Amazon S3 bucket. The policies attached to thisrole will determine the level of access you want to provide your users when transferring files into andout of your Amazon S3 bucket or buckets. The IAM role should also contain a trust relationship thatallows the file transfer protocol-enabled server to access your resources when servicing your users'transfer requests.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

101

AWS 轉移至 SFTP 使用者指南UpdateUser

Required: NoServerId (p. 100)

A system-assigned unique identifier for a file transfer protocol-enabled server instance that the useraccount is assigned to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: YesUserName (p. 100)

A unique string that identifies a user and is associated with a file transfer protocol-enabled serveras specified by the ServerId. This user name must be a minimum of 3 and a maximum of 100characters long. The following are valid characters: a-z, A-Z, 0-9, underscore '_', hyphen '-', period '.',and at sign '@'. The user name can't start with a hyphen, period, and at sign.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: Yes

Response Syntax

{ "ServerId": "string", "UserName": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ServerId (p. 102)

A system-assigned unique identifier for a file transfer protocol-enabled server instance that the useraccount is assigned to.

Type: String

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$UserName (p. 102)

The unique identifier for a user that is assigned to a file transfer protocol-enabled server instance thatwas specified in the request.

Type: String

102

AWS 轉移至 SFTP 使用者指南UpdateUser

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 124).

InternalServiceError

This exception is thrown when an error occurs in the AWS Transfer Family service.

HTTP Status Code: 500InvalidRequestException

This exception is thrown when the client submits a malformed request.

HTTP Status Code: 400ResourceNotFoundException

This exception is thrown when a resource is not found by the AWS Transfer Family service.

HTTP Status Code: 400ServiceUnavailableException

The request has failed because the AWS Transfer Family service is not available.

HTTP Status Code: 500ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400

HTTP Status Code: 400

ExamplesExample

The following example updates a user account.

Sample Request

{ "HomeDirectory": "/bucket2/documentation", "HomeDirectoryMappings": [ { "Entry": "your-personal-report.pdf", "Target": "/bucket3/customized-reports/${transfer:UserName}.pdf" } ], "HomeDirectoryType:" "PATH", "Role": "AssumeRole", "ServerId": "s-01234567890abcdef", "UserName": "sftp_user"

103

AWS 轉移至 SFTP 使用者指南Data Types

}

Example

Sample Response

{ "ServerId": "s-01234567890abcdef" "UserName": "sftp_user"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V3

Data TypesThe following data types are supported:

• DescribedSecurityPolicy (p. 105)• DescribedServer (p. 107)• DescribedUser (p. 110)• EndpointDetails (p. 113)• HomeDirectoryMapEntry (p. 115)• IdentityProviderDetails (p. 116)• ListedServer (p. 117)• ListedUser (p. 119)• SshPublicKey (p. 121)• Tag (p. 122)

104

AWS 轉移至 SFTP 使用者指南DescribedSecurityPolicy

DescribedSecurityPolicyDescribes the properties of a security policy that was specified. For more information about securitypolicies, see Working with security policies.

ContentsFips

Specifies whether this policy enables Federal Information Processing Standards (FIPS).

Type: Boolean

Required: NoSecurityPolicyName

Specifies the name of the security policy that is attached to the server.

Type: String

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

Required: YesSshCiphers

Specifies the enabled Secure Shell (SSH) cipher encryption algorithms in the security policy that isattached to the server.

Type: Array of strings

Length Constraints: Maximum length of 50.

Required: NoSshKexs

Specifies the enabled SSH key exchange (KEX) encryption algorithms in the security policy that isattached to the server.

Type: Array of strings

Length Constraints: Maximum length of 50.

Required: NoSshMacs

Specifies the enabled SSH message authentication code (MAC) encryption algorithms in the securitypolicy that is attached to the server.

Type: Array of strings

Length Constraints: Maximum length of 50.

Required: NoTlsCiphers

Specifies the enabled Transport Layer Security (TLS) cipher encryption algorithms in the security policythat is attached to the server.

105

AWS 轉移至 SFTP 使用者指南DescribedSecurityPolicy

Type: Array of strings

Length Constraints: Maximum length of 50.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

106

AWS 轉移至 SFTP 使用者指南DescribedServer

DescribedServerDescribes the properties of a file transfer protocol-enabled server that was specified.

ContentsArn

Specifies the unique Amazon Resource Name (ARN) of the file transfer protocol-enabled server.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesCertificate

Specifies the ARN of the AWS Certificate Manager (ACM) certificate. Required when Protocols isset to FTPS.

Type: String

Length Constraints: Maximum length of 1600.

Required: NoEndpointDetails

Specifies the virtual private cloud (VPC) endpoint settings that you configured for your file transferprotocol-enabled server.

Type: EndpointDetails (p. 113) object

Required: NoEndpointType

Defines the type of endpoint that your file transfer protocol-enabled server is connected to. If yourserver is connected to a VPC endpoint, your server isn't accessible over the public internet.

Type: String

Valid Values: PUBLIC | VPC | VPC_ENDPOINT

Required: NoHostKeyFingerprint

Specifies the Base64-encoded SHA256 fingerprint of the server's host key. This value is equivalent tothe output of the ssh-keygen -l -f my-new-server-key command.

Type: String

Required: NoIdentityProviderDetails

Specifies information to call a customer-supplied authentication API. This field is not populated whenthe IdentityProviderType of a file transfer protocol-enabled server is SERVICE_MANAGED.

Type: IdentityProviderDetails (p. 116) object

107

AWS 轉移至 SFTP 使用者指南DescribedServer

Required: NoIdentityProviderType

Specifies the mode of authentication method enabled for this service. A value of SERVICE_MANAGEDmeans that you are using this file transfer protocol-enabled server to store and access user credentialswithin the service. A value of API_GATEWAY indicates that you have integrated an API Gatewayendpoint that will be invoked for authenticating your user into the service.

Type: String

Valid Values: SERVICE_MANAGED | API_GATEWAY

Required: NoLoggingRole

Specifies the AWS Identity and Access Management (IAM) role that allows a file transfer protocol-enabled server to turn on Amazon CloudWatch logging for Amazon S3 events. When set, user activitycan be viewed in your CloudWatch logs.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoProtocols

Specifies the file transfer protocol or protocols over which your file transfer protocol client can connectto your server's endpoint. The available protocols are:• SFTP (Secure Shell (SSH) File Transfer Protocol): File transfer over SSH• FTPS (File Transfer Protocol Secure): File transfer with TLS encryption• FTP (File Transfer Protocol): Unencrypted file transfer

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 3 items.

Valid Values: SFTP | FTP | FTPS

Required: NoSecurityPolicyName

Specifies the name of the security policy that is attached to the server.

Type: String

Length Constraints: Maximum length of 100.

Pattern: TransferSecurityPolicy-.+

Required: NoServerId

Specifies the unique system-assigned identifier for a file transfer protocol-enabled server that youinstantiate.

Type: String

108

AWS 轉移至 SFTP 使用者指南DescribedServer

Length Constraints: Fixed length of 19.

Pattern: ^s-([0-9a-f]{17})$

Required: NoState

Specifies the condition of a file transfer protocol-enabled server for the server that was described.A value of ONLINE indicates that the server can accept jobs and transfer files. A State value ofOFFLINE means that the server cannot perform file transfer operations.

The states of STARTING and STOPPING indicate that the server is in an intermediate state, either notfully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicatean error condition.

Type: String

Valid Values: OFFLINE | ONLINE | STARTING | STOPPING | START_FAILED |STOP_FAILED

Required: NoTags

Specifies the key-value pairs that you can use to search for and group file transfer protocol-enabledservers that were assigned to the server that was described.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoUserCount

Specifies the number of users that are assigned to a file transfer protocol-enabled server you specifiedwith the ServerId.

Type: Integer

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

109

AWS 轉移至 SFTP 使用者指南DescribedUser

DescribedUserDescribes the properties of a user that was specified.

ContentsArn

Specifies the unique Amazon Resource Name (ARN) for the user that was requested to be described.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesHomeDirectory

Specifies the landing directory (or folder), which is the location that files are written to or read from inan Amazon S3 bucket, for the described user. An example is your-Amazon-S3-bucket-name>/home/username .

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^$|/.*

Required: NoHomeDirectoryMappings

Specifies the logical directory mappings that specify what Amazon S3 paths and keys should bevisible to your user and how you want to make them visible. You will need to specify the "Entry" and"Target" pair, where Entry shows how the path is made visible and Target is the actual AmazonS3 path. If you only specify a target, it will be displayed as is. You will need to also make sure that yourAWS Identity and Access Management (IAM) role provides access to paths in Target.

In most cases, you can use this value instead of the scope-down policy to lock your user down tothe designated home directory ("chroot"). To do this, you can set Entry to '/' and set Target to theHomeDirectory parameter value.

Type: Array of HomeDirectoryMapEntry (p. 115) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoHomeDirectoryType

Specifies the type of landing directory (folder) you mapped for your users to see when they log into thefile transfer protocol-enabled server. If you set it to PATH, the user will see the absolute Amazon S3bucket paths as is in their file transfer protocol clients. If you set it LOGICAL, you will need to providemappings in the HomeDirectoryMappings for how you want to make Amazon S3 paths visible toyour users.

Type: String

Valid Values: PATH | LOGICAL

Required: No

110

AWS 轉移至 SFTP 使用者指南DescribedUser

Policy

Specifies the name of the policy in use for the described user.

Type: String

Length Constraints: Maximum length of 2048.

Required: NoRole

Specifies the IAM role that controls your users' access to your Amazon S3 bucket. The policiesattached to this role will determine the level of access you want to provide your users when transferringfiles into and out of your Amazon S3 bucket or buckets. The IAM role should also contain a trustrelationship that allows a file transfer protocol-enabled server to access your resources when servicingyour users' transfer requests.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoSshPublicKeys

Specifies the public key portion of the Secure Shell (SSH) keys stored for the described user.

Type: Array of SshPublicKey (p. 121) objects

Array Members: Maximum number of 5 items.

Required: NoTags

Specifies the key-value pairs for the user requested. Tag can be used to search for and group users fora variety of purposes.

Type: Array of Tag (p. 122) objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: NoUserName

Specifies the name of the user that was requested to be described. User names are used forauthentication purposes. This is the string that will be used by your user when they log in to your filetransfer protocol-enabled server.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

111

AWS 轉移至 SFTP 使用者指南DescribedUser

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

112

AWS 轉移至 SFTP 使用者指南EndpointDetails

EndpointDetailsThe virtual private cloud (VPC) endpoint settings that are configured for your file transfer protocol-enabledserver. With a VPC endpoint, you can restrict access to your server and resources only within your VPC.To control incoming internet traffic, invoke the UpdateServer API and attach an Elastic IP to your server'sendpoint.

ContentsAddressAllocationIds

A list of address allocation IDs that are required to attach an Elastic IP address to your file transferprotocol-enabled server's endpoint. This is only valid in the UpdateServer API.

Note

This property can only be use when EndpointType is set to VPC.

Type: Array of strings

Required: NoSubnetIds

A list of subnet IDs that are required to host your file transfer protocol-enabled server endpoint in yourVPC.

Note

This property can only be used when EndpointType is set to VPC.

Type: Array of strings

Required: NoVpcEndpointId

The ID of the VPC endpoint.

Note

This property can only be used when EndpointType is set to VPC_ENDPOINT.

Type: String

Length Constraints: Fixed length of 22.

Pattern: ^vpce-[0-9a-f]{17}$

Required: NoVpcId

The VPC ID of the VPC in which a file transfer protocol-enabled server's endpoint will be hosted.

Note

This property can only be used when EndpointType is set to VPC.

Type: String

Required: No

113

AWS 轉移至 SFTP 使用者指南EndpointDetails

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

114

AWS 轉移至 SFTP 使用者指南HomeDirectoryMapEntry

HomeDirectoryMapEntryRepresents an object that contains entries and targets for HomeDirectoryMappings.

ContentsEntry

Represents an entry and a target for HomeDirectoryMappings.

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^/.*

Required: YesTarget

Represents the map target that is used in a HomeDirectorymapEntry.

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^/.*

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

115

AWS 轉移至 SFTP 使用者指南IdentityProviderDetails

IdentityProviderDetailsReturns information related to the type of user authentication that is in use for a file transfer protocol-enabled server's users. A server can have only one method of authentication.

ContentsInvocationRole

Provides the type of InvocationRole used to authenticate the user account.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoUrl

Provides the location of the service endpoint used to authenticate users.

Type: String

Length Constraints: Maximum length of 255.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

116

AWS 轉移至 SFTP 使用者指南ListedServer

ListedServerReturns properties of a file transfer protocol-enabled server that was specified.

ContentsArn

Specifies the unique Amazon Resource Name (ARN) for a file transfer protocol-enabled server to belisted.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesEndpointType

Specifies the type of VPC endpoint that your file transfer protocol-enabled server is connected to. Ifyour server is connected to a VPC endpoint, your server isn't accessible over the public internet.

Type: String

Valid Values: PUBLIC | VPC | VPC_ENDPOINT

Required: NoIdentityProviderType

Specifies the authentication method used to validate a user for a file transfer protocol-enabled serverthat was specified. This can include Secure Shell (SSH), user name and password combinations, oryour own custom authentication method. Valid values include SERVICE_MANAGED or API_GATEWAY.

Type: String

Valid Values: SERVICE_MANAGED | API_GATEWAY

Required: NoLoggingRole

Specifies the AWS Identity and Access Management (IAM) role that allows a file transfer protocol-enabled server to turn on Amazon CloudWatch logging.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoServerId

Specifies the unique system assigned identifier for a file transfer protocol-enabled servers that werelisted.

Type: String

Length Constraints: Fixed length of 19.

117

AWS 轉移至 SFTP 使用者指南ListedServer

Pattern: ^s-([0-9a-f]{17})$

Required: NoState

Specifies the condition of a file transfer protocol-enabled server for the server that was described.A value of ONLINE indicates that the server can accept jobs and transfer files. A State value ofOFFLINE means that the server cannot perform file transfer operations.

The states of STARTING and STOPPING indicate that the server is in an intermediate state, either notfully able to respond, or not fully offline. The values of START_FAILED or STOP_FAILED can indicatean error condition.

Type: String

Valid Values: OFFLINE | ONLINE | STARTING | STOPPING | START_FAILED |STOP_FAILED

Required: NoUserCount

Specifies the number of users that are assigned to a file transfer protocol-enabled server you specifiedwith the ServerId.

Type: Integer

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

118

AWS 轉移至 SFTP 使用者指南ListedUser

ListedUserReturns properties of the user that you specify.

ContentsArn

Provides the unique Amazon Resource Name (ARN) for the user that you want to learn about.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 1600.

Pattern: arn:.*

Required: YesHomeDirectory

Specifies the location that files are written to or read from an Amazon S3 bucket for the user youspecify by their ARN.

Type: String

Length Constraints: Maximum length of 1024.

Pattern: ^$|/.*

Required: NoHomeDirectoryType

Specifies the type of landing directory (folder) you mapped for your users' home directory. If you setit to PATH, the user will see the absolute Amazon S3 bucket paths as is in their file transfer protocolclients. If you set it LOGICAL, you will need to provide mappings in the HomeDirectoryMappings forhow you want to make Amazon S3 paths visible to your users.

Type: String

Valid Values: PATH | LOGICAL

Required: NoRole

Specifies the role that is in use by this user. A role is an AWS Identity and Access Management (IAM)entity that, in this case, allows a file transfer protocol-enabled server to act on a user's behalf. It allowsthe server to inherit the trust relationship that enables that user to perform file operations to theirAmazon S3 bucket.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Pattern: arn:.*role/.*

Required: NoSshPublicKeyCount

Specifies the number of SSH public keys stored for the user you specified.

119

AWS 轉移至 SFTP 使用者指南ListedUser

Type: Integer

Required: NoUserName

Specifies the name of the user whose ARN was specified. User names are used for authenticationpurposes.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 100.

Pattern: ^[\w][\w@.-]{2,99}$

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

120

AWS 轉移至 SFTP 使用者指南SshPublicKey

SshPublicKeyProvides information about the public Secure Shell (SSH) key that is associated with a user account for thespecific file transfer protocol-enabled server (as identified by ServerId). The information returned includesthe date the key was imported, the public key contents, and the public key ID. A user can store more thanone SSH public key associated with their user name on a specific server.

ContentsDateImported

Specifies the date that the public key was added to the user account.

Type: Timestamp

Required: YesSshPublicKeyBody

Specifies the content of the SSH public key as specified by the PublicKeyId.

Type: String

Length Constraints: Maximum length of 2048.

Pattern: ^ssh-rsa\s+[A-Za-z0-9+/]+[=]{0,3}(\s+.+)?\s*$

Required: YesSshPublicKeyId

Specifies the SshPublicKeyId parameter contains the identifier of the public key.

Type: String

Length Constraints: Fixed length of 21.

Pattern: ^key-[0-9a-f]{17}$

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

121

AWS 轉移至 SFTP 使用者指南Tag

TagCreates a key-value pair for a specific resource. Tags are metadata that you can use to search for andgroup a resource for various purposes. You can apply tags to servers, users, and roles. A tag key can takemore than one value. For example, to group servers for accounting purposes, you might create a tag calledGroup and assign the values Research and Accounting to that group.

ContentsKey

The name assigned to the tag that you create.

Type: String

Length Constraints: Maximum length of 128.

Required: YesValue

Contains one or more values that you assigned to the key name you create.

Type: String

Length Constraints: Maximum length of 256.

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V3

Common ParametersThe following list contains the parameters that all actions use for signing Signature Version 4 requests witha query string. Any action-specific parameters are listed in the topic for that action. For more informationabout Signature Version 4, see Signature Version 4 Signing Process in the Amazon Web Services GeneralReference.

Action

The action to be performed.

Type: string

Required: YesVersion

The API version that the request is written for, expressed in the format YYYY-MM-DD.

122

AWS 轉移至 SFTP 使用者指南Common Parameters

Type: string

Required: YesX-Amz-Algorithm

The hash algorithm that you used to create the request signature.

Condition: Specify this parameter when you include authentication information in a query string insteadof in the HTTP authorization header.

Type: string

Valid Values: AWS4-HMAC-SHA256

Required: ConditionalX-Amz-Credential

The credential scope value, which is a string that includes your access key, the date, the region youare targeting, the service you are requesting, and a termination string ("aws4_request"). The value isexpressed in the following format: access_key/YYYYMMDD/region/service/aws4_request.

For more information, see Task 2: Create a String to Sign for Signature Version 4 in the Amazon WebServices General Reference.

Condition: Specify this parameter when you include authentication information in a query string insteadof in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-Date

The date that is used to create the signature. The format must be ISO 8601 basic format(YYYYMMDD'T'HHMMSS'Z'). For example, the following date time is a valid X-Amz-Date value:20120325T120000Z.

Condition: X-Amz-Date is optional for all requests; it can be used to override the date used for signingrequests. If the Date header is specified in the ISO 8601 basic format, X-Amz-Date is not required.When X-Amz-Date is used, it always overrides the value of the Date header. For more information, seeHandling Dates in Signature Version 4 in the Amazon Web Services General Reference.

Type: string

Required: ConditionalX-Amz-Security-Token

The temporary security token that was obtained through a call to AWS Security Token Service (AWSSTS). For a list of services that support temporary security credentials from AWS Security TokenService, go to AWS Services That Work with IAM in the IAM User Guide.

Condition: If you're using temporary security credentials from the AWS Security Token Service, youmust include the security token.

Type: string

Required: ConditionalX-Amz-Signature

Specifies the hex-encoded signature that was calculated from the string to sign and the derived signingkey.

123

AWS 轉移至 SFTP 使用者指南Common Errors

Condition: Specify this parameter when you include authentication information in a query string insteadof in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-SignedHeaders

Specifies all the HTTP headers that were included as part of the canonical request. For moreinformation about specifying signed headers, see Task 1: Create a Canonical Request For SignatureVersion 4 in the Amazon Web Services General Reference.

Condition: Specify this parameter when you include authentication information in a query string insteadof in the HTTP authorization header.

Type: string

Required: Conditional

Common ErrorsThis section lists the errors common to the API actions of all AWS services. For errors specific to an APIaction for this service, see the topic for that API action.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400IncompleteSignature

The request signature does not conform to AWS standards.

HTTP Status Code: 400InternalFailure

The request processing has failed because of an unknown error, exception or failure.

HTTP Status Code: 500InvalidAction

The action or operation requested is invalid. Verify that the action is typed correctly.

HTTP Status Code: 400InvalidClientTokenId

The X.509 certificate or AWS access key ID provided does not exist in our records.

HTTP Status Code: 403InvalidParameterCombination

Parameters that must not be used together were used together.

HTTP Status Code: 400InvalidParameterValue

An invalid or out-of-range value was supplied for the input parameter.

124

AWS 轉移至 SFTP 使用者指南Common Errors

HTTP Status Code: 400InvalidQueryParameter

The AWS query string is malformed or does not adhere to AWS standards.

HTTP Status Code: 400MalformedQueryString

The query string contains a syntax error.

HTTP Status Code: 404MissingAction

The request is missing an action or a required parameter.

HTTP Status Code: 400MissingAuthenticationToken

The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

HTTP Status Code: 403MissingParameter

A required parameter for the specified action is not supplied.

HTTP Status Code: 400OptInRequired

The AWS access key ID needs a subscription for the service.

HTTP Status Code: 403RequestExpired

The request reached the service more than 15 minutes after the date stamp on the request or morethan 15 minutes after the request expiration date (such as for pre-signed URLs), or the date stamp onthe request is more than 15 minutes in the future.

HTTP Status Code: 400ServiceUnavailable

The request has failed due to a temporary failure of the server.

HTTP Status Code: 503ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400ValidationError

The input fails to satisfy the constraints specified by an AWS service.

HTTP Status Code: 400

125

AWS 轉移至 SFTP 使用者指南

AWS 轉移至 SFTP 的文件歷史記錄下表說明此版本 AWS 轉移至 SFTP 的文件。

• API 版本：transfer-2018-11-05• 最新文件更新日期：2018 年 12 月 1 日

變更 說明 日期

編輯 編輯各種頁面 2018 年 12 月 5 日

第一個版本的 AWS 轉移至 SFTP已發行。

此初始版本包含設定方向，並說明開始使用的方法，亦提供用戶端組態、使用者組態和監控活動的相關資訊。

2018 年 11 月 25 日

126

AWS 轉移至 SFTP 使用者指南

AWS glossaryFor the latest AWS terminology, see the AWS glossary in the AWS General Reference.

127