AS2 quotas and limitations - Amazon Transfer Family
AS2 quotasQuotas for handling secretsKnown limitations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AS2 quotas and limitations

This section discusses quotas and limitations for AS2

AS2 quotas

The following quotas are in place for AS2 file transfers. To request an increase for a quota that's adjustable, see Amazon Web Service quotas in the Amazon Web Services General Reference.

AS2 quotas
Name Default Adjustable
Maximum number of inbound files received per second 100 No
Maximum number of outbound files sent per second 100 No
Maximum number of concurrent inbound files 400 No
Maximum number of concurrent outbound files 400 No
Maximum size of inbound file (uncompressed) 1 GB No
Maximum size of outbound file (uncompressed) 1 GB No
Maximum number of files per outbound request 10 No
Maximum number of outbound requests per second 100 No
Maximum number of inbound requests per second 100 No
Maximum outbound bandwidth per account (outbound SFTP and AS2 requests both contribute to this value) 50 MB per second No
Maximum number of agreements per server 100 Yes
Maximum number of connectors per account (SFTP and AS2 connectors both contribute to this limit) 100 Yes
Maximum number of certificates per partner profile 10 No
Maximum number of certificates per account 1000 Yes
Maximum number of partner profiles per account 1000 Yes

Quotas for handling secrets

Amazon Transfer Family makes calls to Amazon Secrets Manager on behalf of AS2 customers that are using Basic authentication. Additionally Secrets Manager makes calls to Amazon KMS.

Note

These quotas aren't specific to your use of secrets for Transfer Family: they're shared among all the services in your Amazon Web Services account.

For Secrets Manager GetSecretValue, the quota that applies is Combined rate of DescribeSecret and GetSecretValue API requests, as described in Amazon Secrets Manager quotas.

Secrets Manager GetSecretValue
Name Value Description
Combined rate of DescribeSecret and GetSecretValue API requests Each supported Region: 10,000 per second The maximum transactions per second for DescribeSecret and GetSecretValue API requests combined.

For Amazon KMS, the following quotas apply for Decrypt. For details, see Request quotas for each Amazon KMS API operation

Amazon KMS Decrypt
Quota name Default value (requests per second)

Cryptographic operations (symmetric) request rate

These shared quotas vary with the Amazon Web Services Region and the type of Amazon KMS key used in the request. Each quota is calculated separately.

  • 5,500 (shared)

  • 10,000 (shared) in the following Regions:

    • US East (Ohio), us-east-2

    • Asia Pacific (Singapore), ap-southeast-1

    • Asia Pacific (Sydney), ap-southeast-2

    • Asia Pacific (Tokyo), ap-northeast-1

    • Europe (Frankfurt), eu-central-1

    • Europe (London), eu-west-2

  • 50,000 (shared) in the following Regions:

    • US East (N. Virginia), us-east-1

    • US West (Oregon), us-west-2

    • Europe (Ireland), eu-west-1

Custom key store request quotas

Note

This quota only applies if you are using an external key store.

Custom key store request quotas are calculated separately for each custom key store.

  • 1,800 (shared) for each Amazon CloudHSM key store

  • 1,800 (shared) for each external key store

Known limitations

  • Server-side TCP keep-alive is not supported. The connection times out after 350 seconds of inactivity unless the client sends keep-alive packets.

  • For an active agreement to be accepted by the service and appear in Amazon CloudWatch logs, messages must contain valid AS2 headers.

  • The server that's receiving messages from Amazon Transfer Family for AS2 must support the Cryptographic Message Syntax (CMS) algorithm protection attribute for validating message signatures, as defined in RFC 6211. This attribute is not supported in some older IBM Sterling products.

  • Duplicate message IDs result in a processed/Warning: duplicate-document message.

  • The key length for AS2 certificates must be at least 2048 bits, and at most 4096.

  • When sending AS2 messages or asynchronous MDNs to a trading partner's HTTPS endpoint, the messages or MDNs must use a valid SSL certificate that's signed by a publicly trusted certificate authority (CA). Self-signed certificates are currently supported for outbound transfers only.

  • The endpoint must support the TLS version 1.2 protocol and a cryptographic algorithm that's permitted by the security policy (as described in Security policies for Amazon Transfer Family servers).

  • Multiple attachments and certificate exchange messaging (CEM) from AS2 version 1.2 is not currently supported.

  • Basic authentication is currently supported for outbound messages only.

  • You can attach a file-processing workflow to a Transfer Family server that uses the AS2 protocol: however, AS2 messages don't execute workflows attached to the server.