Create an FTPS-enabled server - Amazon Transfer Family
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an FTPS-enabled server

File Transfer Protocol over SSL (FTPS) is an extension to FTP. It uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols to encrypt traffic. FTPS allows encryption of both the control and data channel connections either concurrently or independently.

To create an FTPS-enabled server
  1. Open the Amazon Transfer Family console at https://console.amazonaws.cn/transfer/ and select Servers from the navigation pane, then choose Create server.

  2. In Choose protocols, select FTPS.

    For Server certificate, choose a certificate stored in Amazon Certificate Manager (ACM) which will be used to identify your server when clients connect to it over FTPS and then choose Next.

    To request a new public certificate, see Request a public certificate in the Amazon Certificate Manager User Guide.

    To import an existing certificate into ACM, see Importing certificates into ACM in the Amazon Certificate Manager User Guide.

    To request a private certificate to use FTPS through private IP addresses, see Requesting a Private Certificate in the Amazon Certificate Manager User Guide.

    Certificates with the following cryptographic algorithms and key sizes are supported:

    • 2048-bit RSA (RSA_2048)

    • 4096-bit RSA (RSA_4096)

    • Elliptic Prime Curve 256 bit (EC_prime256v1)

    • Elliptic Prime Curve 384 bit (EC_secp384r1)

    • Elliptic Prime Curve 521 bit (EC_secp521r1)

    Note

    The certificate must be a valid SSL/TLS X.509 version 3 certificate with FQDN or IP address specified and information about the issuer.

    
                        The Choose protocols console section with
                                FTPS selected.
  3. In Choose an identity provider, choose the identity provider that you want to use to manage user access. You have the following options:

    • Amazon Directory Service for Microsoft Active Directory – You provide an Amazon Directory Service directory to access the endpoint. By doing so, you can use credentials stored in your Active Directory to authenticate your users. To learn more about working with Amazon Managed Microsoft AD identity providers, see Using the Amazon Directory Service identity provider.

      Note
      
                            The Choose an identity provider console section with
                                Amazon Directory Service selected.
    • Custom identity provider – Choose either of the following options:

      
                            The Choose an identity provider console section with
                                Custom identity provider selected.
  4. Choose Next.

  5. In Choose an endpoint, do the following:

    Note

    FTPS servers for Transfer Family operate over Port 21 (Control Channel) and Port Range 8192–8200 (Data Channel).

    1. For Endpoint type, choose the VPC hosted endpoint type to host your server's endpoint. For information about setting up your VPC hosted endpoint, see Create a server in a virtual private cloud.

      Note

      Publicly accessible endpoints are not supported.

    2. (Optional) For FIPS Enabled, select the FIPS Enabled endpoint check box to ensure that the endpoint complies with Federal Information Processing Standards (FIPS).

      Note

      FIPS-enabled endpoints are only available in North American Amazon Regions. For available Regions, see Amazon Transfer Family endpoints and quotas in the Amazon Web Services General Reference. For more information about FIPS, see Federal Information Processing Standard (FIPS) 140-2 .

    3. Choose Next.

    
                        The Choose an endpoint console section with
                                VPC hosted selected.
  6. On the Choose domain page, choose the Amazon storage service that you want to use to store and access your data over the selected protocol:

    • Choose Amazon S3 to store and access your files as objects over the selected protocol.

    • Choose Amazon EFS to store and access your files in your Amazon EFS file system over the selected protocol.

    Choose Next.

  7. In Configure additional details, do the following:

    1. For logging, specify an existing log group or create a new one (the default option).

      
                Logging pane for Configure additional details in the Create server wizard.
                    Create a new log group is selected.

      If you choose an existing log group, you must select one that is associated with your Amazon Web Services account.

      
                Logging pane for Configure additional details in the Create server wizard.
                    Choose an existing log group is selected.

      If you choose Create log group, the CloudWatch console (https://console.amazonaws.cn/cloudwatch/) opens to the Create log group page. For details, see Create a log group in CloudWatch Logs.

    2. (Optional) For Managed workflows, choose workflow IDs (and a corresponding role) that Transfer Family should assume when executing the workflow. You can choose one workflow to execute upon a complete upload, and another to execute upon a partial upload. To learn more about processing your files by using managed workflows, see Amazon Transfer Family managed workflows.

      
                                The Managed workflows console section.
    3. For Cryptographic algorithm options, choose a security policy that contains the cryptographic algorithms enabled for use by your server.

      Note

      By default:

      • If FIPS Enabled endpoint is not selected, the TransferSecurityPolicy-2020-06 security policy is attached to your server.

      • If FIPS Enabled endpoint is selected, the TransferSecurityPolicy-FIPS-2020-06 security policy is attached to your server.

      For more information about security policies, see Security policies for Amazon Transfer Family.

      
                                The Cryptographic algorithm options
                                    console section with a security policy selected.
    4. For Server Host Key, keep it blank.

      Note

      The Server Host Key section is used only for migrating users from an existing SFTP-enabled server.

      
                                The Server host key console
                                    section.
    5. (Optional) For Tags, for Key and Value, enter one or more tags as key-value pairs, and then choose Add tag.

    6. You can optimize performance for your Amazon S3 directories. For example, suppose that you go into your home directory, and you have 10,000 subdirectories. In other words, your S3 bucket has 10,000 folders. In this scenario, if you run the ls (list) command, the list operation takes between six and eight minutes. However, if you optimize your directories, this operation takes only a few seconds.

      
                                The Optimized directories console section.
    7. Choose Next.

      
                                The Tags console section.
    8. (Optional) You can configure Amazon Transfer Family servers to display customized messages such as organizational policies or terms and conditions to your end users. You can also display customized Message of The Day (MOTD) to users who have successfully authenticated.

      For Display banner, in the Pre-authentication display banner text box, enter the text message that you want to display to your users before they authenticate, and in the Post-authentication display banner text box, enter the text that you want to display to your users after they successfully authenticate.

      
                                The Display banner console section.
    9. (Optional) You can configure the following additional options.

      • SetStat option: enable this option to ignore the error that is generated when a client attempts to use SETSTAT on a file you are uploading to an Amazon S3 bucket. For additional details, see the SetStatOption documentation in the ProtocolDetails topic.

      • TLS session resumption: provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. For additional details, see the TlsSessionResumptionMode documentation in the ProtocolDetails topic.

      • Passive IP: indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. For additional details, see the PassiveIp documentation in the ProtocolDetails topic.

  8. In Review and create, review your choices.

    • If you want to edit any of them, choose Edit next to the step.

      Note

      You must review each step after the step that you chose to edit.

    • If you have no changes, choose Create server to create your server. You are taken to the Servers page, shown following, where your new server is listed.

It can take a couple of minutes before the status for your new server changes to Online. At that point, your server can perform file operations for your users.


                The Servers console page with the new server ID and a
                    status of Starting.

Next steps: For the next step, continue on to Working with custom identity providers to set up users.