AWS transfer documentation change
Summary
Restructured troubleshooting documentation to use hyperlinked sections instead of inline content, consolidating detailed troubleshooting guides into separate pages
Security assessment
The changes are organizational/structural improvements to documentation navigation rather than addressing specific security vulnerabilities or adding new security features. While some linked sections may contain security content, the change itself doesn't introduce or modify security-related information.
Diff
diff --git a/transfer/latest/userguide/troubleshooting.md b/transfer/latest/userguide/troubleshooting.md index 3266b5311..27466088c 100644 --- a//transfer/latest/userguide/troubleshooting.md +++ b//transfer/latest/userguide/troubleshooting.md @@ -5,2 +4,0 @@ -Troubleshoot service-managed usersTroubleshoot Amazon API Gateway issuesTroubleshoot policies for encrypted Amazon S3 bucketsTroubleshoot SFTP connectivity issuesTroubleshoot SFTP client issuesTroubleshoot authentication issuesTroubleshoot managed workflows issuesTroubleshoot workflow decryption issuesTroubleshoot Amazon EFS issuesTroubleshoot testing your identity providerTroubleshoot adding trusted host keys for your SFTP connectorTroubleshoot file upload issuesTroubleshoot ResourceNotFound exceptionTroubleshoot SFTP connector issuesTroubleshoot AS2 issues - @@ -9 +7 @@ Troubleshoot service-managed usersTroubleshoot Amazon API Gateway issuesTroubles -Use the following information to help you diagnose and fix common issues that you might encounter when working with AWS Transfer Family. +This chapter provides troubleshooting information for common issues you might encounter when using AWS Transfer Family. Each section focuses on a specific area of functionality to help you quickly find solutions to your problems. @@ -20,711 +18 @@ Use the following information to help you diagnose and fix common issues that yo - * Troubleshoot service-managed users - - * Troubleshoot Amazon API Gateway issues - - * Troubleshoot policies for encrypted Amazon S3 buckets - - * Troubleshoot SFTP connectivity issues - - * Troubleshoot SFTP client issues - - * Troubleshoot authentication issues - - * Troubleshoot managed workflows issues - - * Troubleshoot workflow decryption issues - - * Troubleshoot Amazon EFS issues - - * Troubleshoot testing your identity provider - - * Troubleshoot adding trusted host keys for your SFTP connector - - * Troubleshoot file upload issues - - * Troubleshoot ResourceNotFound exception - - * Troubleshoot SFTP connector issues - - * Troubleshoot AS2 issues - - - - -## Troubleshoot service-managed users - -This section describes possible solutions for the following issues. - -###### Topics - - * Troubleshoot Amazon EFS service-managed users - - * Troubleshoot public key body too long - - * Troubleshoot failed to add SSH public key - - - - -### Troubleshoot Amazon EFS service-managed users - -Description - -You run the `sftp` command and the prompt doesn't appear, and instead you see the following message: - - - Couldn't canonicalize: Permission denied - Need cwd - -Cause - -Your AWS Identity and Access Management (IAM) user's role does not have permission to access Amazon Elastic File System (Amazon EFS). - -Solution - -Increase the policy permissions for your user's role. You can add an AWS managed policy, such as `AmazonElasticFileSystemClientFullAccess`. - -### Troubleshoot public key body too long - -Description - -When you try to create a service-managed user, you receive the following error: - - - Failed to create user (1 validation error detected: - 'sshPublicKeyBody' failed to satisfy constraint: Member must have length less than or equal to 2048) - -Cause - -You might be entering a PGP key for the public key body, and AWS Transfer Family does not support PGP keys for service-managed users. - -Solution - -If the PGP key is RSA-based, you can convert it to PEM format. For example, Ubuntu provides a conversion tool here: [https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html](https://manpages.ubuntu.com/manpages/xenial/man1/openpgp2ssh.1.html) - -### Troubleshoot failed to add SSH public key - -Description - -When you try to add a public key for a service-managed user, you receive the following error: - - - Failed to add SSH public key (Unsupported or invalid SSH public key format) - -Cause - -You might be attempting to import an SSH2-formatted public key, and AWS Transfer Family does not support SSH2-formatted public keys for service-managed users. - -Solution - -You need to convert the key into OpenSSH format. This process is described in [Converting an SSH2 key to SSH public key format](./convert-ssh2-public-key.html). - -## Troubleshoot Amazon API Gateway issues - -This section describes possible solutions for the following API Gateway issues. - -###### Topics - - * Too many authentication failures - - * Connection closed - - - - -### Too many authentication failures - -Description - -When you try to connect to your server using Secure Shell (SSH) File Transfer Protocol (SFTP), you get the following error: - - - Received disconnect from 3.15.127.197 port 22:2: Too many authentication failures - Authentication failed. - Couldn't read packet: Connection reset by peer - -Cause - -You might have entered an incorrect password for your user. Try again to enter the correct password. - -If the password is correct, the issue might be caused by a role Amazon Resource Name (ARN) that is not valid. To confirm that this is the issue, test the identity provider for your server. If you see a response similar to the following, the role ARN is a placeholder only, as indicated by the role ID value of all zeros: - - - { - "Response": "{\"Role\": \"arn:aws:iam::000000000000:role/MyUserS3AccessRole\",\"HomeDirectory\": \"/\"}", - "StatusCode": 200, - "Message": "", - "Url": "https://api-gateway-ID.execute-api.us-east-1.amazonaws.com/prod/servers/transfer-server-ID/users/myuser/config" - } - -Solution - -Replace the placeholder role ARN with an actual role that has permission to access the server. - -###### To update the role - - 1. Open the AWS CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/). - - 2. In the left navigation pane, choose **Stacks**. - - 3. In the **Stacks** list, choose your stack, and then choose the **Parameters** tab. - - 4. Choose **Update**. On the **Update stack** page, choose **Use current template** , and then choose **Next**. - - 5. Replace **UserRoleArn** with a role ARN that has sufficient permissions for accessing your Transfer Family server. - -###### Note - -To grant the necessary permissions, you can add the `AmazonAPIGatewayAdministrator` and the `AmazonS3FullAccess` managed policies to your role. - - 6. Choose **Next** , and then choose **Next** again. On the **Review`stack`** page, select **I acknowledge that AWS CloudFormation might create IAM resources** , and then choose **Update stack**. - - - - -### Connection closed - -Description - -When you try to connect to your server using Secure Shell (SSH) File Transfer Protocol (SFTP), you get the following error: - - - Connection closed - -Cause - -One possible cause for this issue is that your Amazon CloudWatch logging role does not have a trust relationship with Transfer Family. - -Solution - -Make sure that the logging role for the server has a trust relationship with Transfer Family. For more information, see [To establish a trust relationship](./requirements-roles.html#establish-trust-transfer). - -## Troubleshoot policies for encrypted Amazon S3 buckets - -Description - -You have an encrypted Amazon S3 bucket that you are using as storage for your Transfer Family server. If you try to upload a file to the server, you receive the error `Couldn't close file: Permission denied`. - -And if you view the server logs, you see the following errors: -