Amazon Transfer Family for AS2 - Amazon Transfer Family
AS2 use casesAS2 CloudFormation templates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Transfer Family for AS2

Applicability Statement 2 (AS2) is an RFC-defined file-transmission specification that includes strong message protection and verification mechanisms. The AS2 protocol is critical to workflows with compliance requirements that rely on having data protection and security features built into the protocol.

Note

AS2 for Transfer Family is Drummond certified.

Customers in industries such as retail, life sciences, manufacturing, financial services, and utilities that rely on AS2 for supply chain, logistics, and payments workflows can use Amazon Transfer Family AS2 endpoints to securely transact with their business partners. The transacted data is natively accessible in Amazon for processing, analysis, and machine learning. This data is also available for integrations with enterprise resource planning (ERP) and customer relationship management (CRM) systems that run on Amazon. With AS2, customers can run their business-to-business (B2B) transactions at scale in Amazon while maintaining existing business partner integrations and compliance.

If you are a Transfer Family customer who wants to exchange files with a partner who has an AS2-enabled server, the setup involves generating one public-private key pair for encryption and another for signing and exchanging the public keys with the partner.

Transfer Family provides a workshop that you can attend, in which you can configure a Transfer Family endpoint with AS2 enabled, and a Transfer Family AS2 connector. You can view the details for this workshop here.

Protecting an AS2 payload in transit typically involves the use of Cryptographic Message Syntax (CMS) and commonly uses encryption and a digital signature to provide data protection and peer authentication. A signed Message Disposition Notice (MDN) response payload provides verification (non-repudiation) that a message was received and successfully decrypted.

Transport of these CMS payloads and MDN responses occurs over HTTP.

Note

HTTPS AS2 server endpoints are not currently supported. TLS termination is currently the responsibility of the customer.

For a detailed, step-by-step walkthrough of setting up an Applicability Statement 2 (AS2) configuration, see the tutorial, Setting up an AS2 configuration.

The user guide provides instructions for each step in the process of configuring AS2 in Transfer Family.

  1. Import AS2 certificates

  2. Create AS2 profiles

  3. Create an AS2 server

  4. Create an AS2 agreement

  5. Configure AS2 connectors

AS2 use cases

If you are an Amazon Transfer Family customer who wants to exchange files with a partner who has an AS2-enabled server, the most complex part of the setup involves generating one public-private key pair for encryption and another for signing and exchanging the public keys with the partner.

Diagram that shows the use of public-private key pairs for encryption and signing.

Consider the following variations for using Amazon Transfer Family with AS2.

Note

Trading partner is the partner associated with that partner profile.

All mentions of MDN in the following table assume signed MDNs.

AS2 use cases

Inbound-only use cases

  • Transfer encrypted AS2 messages from a trading partner to a Transfer Family server.

    In this case, you do the following:

    1. Create profiles for your trading partner and yourself.

    2. Create a Transfer Family server that uses the AS2 protocol.

    3. Create an agreement and add it to your server.

    4. Import a certificate with a private key and add it to your profile, and then import the public key to your partner profile for encryption.

    5. After you have these items, send the public key for your certificate to your trading partner.

    Now your partner can send you encrypted messages and you can decrypt them and store them in your Amazon S3 bucket.

  • Transfer encrypted AS2 messages from a trading partner to a Transfer Family server and add signing.

    In this scenario, you are still doing only inbound transfers, but now you want to have your partner sign the messages that they send. In this case, import the trading partner's signing public key (as a signing certificate added to your partner's profile).

  • Transfer encrypted AS2 messages from a trading partner to a Transfer Family server and add signing and sending an MDN response.

    In this scenario, you are still doing only inbound transfers, but now, in addition to receiving signed payloads, your trading partner wants to receive a signed MDN response.

    1. Import your public and private signing keys (as a signing certificate to your profile).

    2. Send the public signing key to your trading partner.

Outbound-only use cases

  • Transfer encrypted AS2 messages from a Transfer Family server to a trading partner.

    This case is similar to the inbound-only transfer use case, except that instead of adding an agreement to your AS2 server, you create a connector. In this case, you import your trading partner's public key to their profile.

  • Transfer encrypted AS2 messages from a Transfer Family server to a trading partner and add signing.

    You are still doing only outbound transfers, but now your trading partner wants you to sign the message that you send to them.

    1. Import your signing private key (as a signing certificate added to your profile).

    2. Send your trading partner your public key.

  • Transfer encrypted AS2 messages from a Transfer Family server to a trading partner and add signing and send an MDN response.

    You are still doing only outbound transfers, but now, in addition to sending signed payloads, you want to receive a signed MDN response from your trading partner.

    1. Your trading partner sends you their public signing key.

    2. Import your trading partner's public key (as a signing certificate added to your partner profile).

Inbound and outbound use cases

  • Transfer encrypted AS2 messages in both directions between a Transfer Family server and a trading partner.

    In this case, you do the following:

    1. Create profiles for your trading partner and yourself.

    2. Create a Transfer Family server that uses the AS2 protocol.

    3. Create an agreement and add it to your server.

    4. Create a connector.

    5. Import a certificate with a private key and add it to your profile, and then import the public key to your partner profile for encryption.

    6. Receive a public key from your trading partner and add it to their profile for encryption.

    7. After you have these items, send the public key for your certificate to your trading partner.

    Now you and your trading partner can exchange encrypted messages, and you can both decrypt them. You can store the messages that you receive in your Amazon S3 bucket, and your partner can decrypt and store the messages that you send to them.

  • Transfer encrypted AS2 messages in both directions between a Transfer Family server and a trading partner and add signing.

    Now you and your partner want signed messages.

    1. Import your signing private key (as a signing certificate added to your profile).

    2. Send your trading partner your public key.

    3. Import your trading partner's signing public key and add it to their profile.

  • Transfer encrypted AS2 messages in both directions between a Transfer Family server and a trading partner and add signing and send an MDN response.

    Now, you want to exchange signed payloads, and both you and your trading partner want MDN responses.

    1. Your trading partner sends you their public signing key.

    2. Import your trading partner's public key (as a signing certificate to your partner profile).

    3. Send your public key to your trading partner.

AS2 CloudFormation templates

This topic provides information about Amazon CloudFormation templates that you can use to quickly deploy AS2 servers and configurations for Amazon Transfer Family. These templates automate the setup process and help you implement best practices for AS2 file transfers.

Customizing AS2 templates

You can customize the provided templates to meet your specific requirements:

  1. Download the template from the S3 URL.

  2. Modify the YAML code to adjust configurations such as:

    • Security settings and certificate configurations

    • Network architecture and VPC settings

    • Storage options and file handling

    • Monitoring and notification preferences

  3. Upload your modified template to your own S3 bucket.

  4. Deploy the customized template using the Amazon CloudFormation console or Amazon CLI.

Important

When customizing templates, ensure that you maintain the dependencies between resources and follow security best practices.

Testing your AS2 deployment

After deploying an AS2 server using a template, you can test the configuration:

  1. Check the CloudFormation stack outputs for sample commands and endpoint information.

  2. Use the Amazon CLI to send a test file:

    aws s3api put-object --bucket your-bucket-name --key test.txt --body test.txt
aws transfer start-file-transfer --connector-id your-connector-id --send-file-paths /your-bucket-name/test.txt

  3. Verify file delivery in the destination S3 bucket.

  4. Check CloudWatch logs for successful processing and MDN responses.

For more comprehensive testing, consider using third-party AS2 clients to send files to your Transfer Family AS2 server.

Best practices for AS2 template deployment

Follow these best practices when using AS2 CloudFormation templates:

Security

Use strong certificates and rotate them regularly.

Implement least-privilege IAM policies.

Restrict network access using security groups.

Reliability

Deploy across multiple Availability Zones.

Implement monitoring and alerting for failed transfers.

Set up automated retries for failed transfers.

Performance

Choose appropriate instance types for your transfer volume.

Implement S3 lifecycle policies for efficient file management.

Monitor and optimize network configurations.

Cost Optimization

Use auto-scaling for variable workloads.

Implement S3 storage classes for older files.

Monitor and adjust resources based on actual usage.