IAM condition keys for organizational governance - Amazon Transfer Family
Available condition keysSupported actionsExample SCP policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM condition keys for organizational governance

Amazon Transfer Family provides IAM condition keys that allow you to restrict resource configurations in any IAM policy. These condition keys can be used in identity-based policies attached to users or roles, or Service Control Policies (SCPs) for organizational governance.

Service Control Policies are IAM policies that apply to an entire Amazon organization, providing preventative guardrails across multiple accounts. When used in SCPs, these condition keys help enforce security and compliance requirements organization-wide.

See also

Available condition keys

Amazon Transfer Family supports the following condition keys for use in IAM policies:

transfer:RequestServerEndpointType

Restricts server creation and updates based on endpoint type (PUBLIC, VPC, VPC_ENDPOINT). Commonly used to prevent public-facing endpoints.

transfer:RequestServerProtocols

Restricts server creation and updates based on supported protocols (SFTP, FTPS, FTP, AS2).

transfer:RequestServerDomain

Restricts server creation based on domain type (S3, EFS).

transfer:RequestConnectorProtocol

Restricts connector creation based on protocol (AS2, SFTP).

Supported actions

The condition keys can be applied to the following Amazon Transfer Family actions:

  • CreateServer: Supports RequestServerEndpointType, RequestServerProtocols, and RequestServerDomain condition keys

  • UpdateServer: Supports RequestServerEndpointType and RequestServerProtocols condition keys

  • CreateConnector: Supports RequestConnectorProtocol condition key

Example SCP policy

The following example SCP prevents the creation of public Amazon Transfer Family servers across your organization:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "DenyPublicTransferServers",
        "Effect": "Deny",
        "Action": ["transfer:CreateServer", "transfer:UpdateServer"],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "transfer:RequestServerEndpointType": "PUBLIC"
            }
        }
    }]
}