AWS transfer documentation change
Summary
Added comprehensive documentation sections covering API request requirements, error handling, identity providers, naming conventions, and DNS endpoints. Updated server endpoint format.
Security assessment
The changes add substantial documentation about authentication methods (AWS Signature Version 4), identity provider integrations (SERVICE_MANAGED, AWS_DIRECTORY_SERVICE, AWS_LAMBDA, API_GATEWAY), and security-related error handling (AccessDeniedException, ResourceNotFoundException). While this enhances security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/transfer/latest/userguide/api-welcome.md b/transfer/latest/userguide/api-welcome.md index 8bc102662..94e64ca01 100644 --- a//transfer/latest/userguide/api-welcome.md +++ b//transfer/latest/userguide/api-welcome.md @@ -6,0 +7,2 @@ +Making API requestsIdentity ProvidersConventionsDNS and Endpoints + @@ -52 +54 @@ DNS entries (endpoints) in use are as follows: - * Server endpoints take the form `server.transfer._`region`_.amazonaws.com`. + * Server endpoints take the form `_`server-id`_.server.transfer._`region`_.amazonaws.com`. @@ -73,0 +76,313 @@ Rather than actually running a command, you can use the `--generate-cli-skeleton +## Making API requests + +In addition to using the console, you can use the AWS Transfer Family API to programmatically configure and manage your servers. This section describes the AWS Transfer Family operations, request signing for authentication and the error handling. For information about the regions and endpoints available for Transfer Family, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/transfer-service.html) in the _AWS General Reference_ + +###### Note + +You can also use the AWS SDKs when developing applications with Transfer Family;. The AWS SDKs for Java, .NET, and PHP wrap the underlying Transfer Family API, simplifying your programming tasks. For information about downloading the SDK libraries, see [Sample code libraries](https://aws.amazon.com/code). + +### Transfer Family required request headers + +This section describes the required headers that you must send with every POST request to AWS Transfer Family. You include HTTP headers to identify key information about the request including the operation you want to invoke, the date of the request, and information that indicates the authorization of you as the sender of the request. Headers are case insensitive and the order of the headers is not important. + +The following example shows headers that are used in the [ListServers](https://docs.aws.amazon.com/transfer/latest/userguide/API_ListServers.html) operation. + + + POST / HTTP/1.1 + Host: transfer.us-east-1.amazonaws.com + x-amz-target: TransferService.ListServers + x-amz-date: 20220507T012034Z + Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20220507/us-east-1/transfer/aws4_request, + SignedHeaders=content-type;host;x-amz-date;x-amz-target, + Signature=13550350a8681c84c861aac2e5b440161c2b33a3e4f302ac680ca5b686de48de + Content-Type: application/x-amz-json-1.1 + Content-Length: 17 + + {"MaxResults":10} + +The following are the headers that must include with your POST requests to Transfer Family. Headers shown below that begin with "x-amz" are specific for AWS. All other headers listed are common header used in HTTP transactions. + +### Transfer Family request inputs and signing + +All request inputs must be sent as part of JSON payload in request body. For Actions in which all request fields are optional, for example `ListServers`, you still need to provide an empty JSON object in the request body, such as `{}`. The structure of Transfer Family payload request/response is documented in existing the API reference, for example [DescribeServer](https://docs.aws.amazon.com/transfer/latest/userguide/API_DescribeServer.html). + +Transfer Family supports authentication using AWS Signature Version 4. For details, see [Signing AWS API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html). + +### Error responses + +When there is an error, the response header information contains: + + * Content-Type: `application/x-amz-json-1.1` + + * An appropriate `4xx` or `5xx` HTTP status code + + + + +The body of an error response contains information about the error that occurred. The following sample error response shows the output syntax of response elements common to all error responses. + + + { + "__type": "_**String**_ ", + "Message": "_**String**_ ", _<!-- Message is lowercase in some instances -->_ + "Resource": "_**String**_ ", + "ResourceType": "_**String**_ ", + "RetryAfterSeconds": "_**String**_ " + } + +The following table explains the JSON error response fields shown in the preceding syntax. + +**__type** + + +One of the exceptions from a Transfer Family API call. + +_Type_ : String + +**Message** or **message** + + +One of the operation error code messages. + +###### Note + +Some exceptions use `message`, and others use `Message`. You can check the code for your interface to determine the proper case. Alternatively, you can test each option to see which works. + +_Type_ : String + +**Resource** + + +The resource for which the error is invoked. For example, if you try to create a user that already exists, the `Resource` is the username for the existing user. + +_Type_ : String + +**ResourceType** + + +The resource type for which the error is invoked. For example, if you try to create a user that already exists, the `ResourceType` is `User`. + +_Type_ : String + +**RetryAfterSeconds** + + +The number of seconds to wait before retrying the command. + +_Type_ : String + +#### Error response examples + +The following JSON body is returned if you call the `DescribeServer` API and specify a server that does not exist. + + + { + "__type": "ResourceNotFoundException", + "Message": "Unknown server", + "Resource": "s-11112222333344444", + "ResourceType": "Server" + } + +The following JSON body is returned if executing an API causes throttling to occur. + + + { + "__type":"ThrottlingException", + "RetryAfterSeconds":"1" + } + +The following JSON body is returned if you use the `CreateServer` API and you do not have sufficient permissions to create a Transfer Family server. + + + { + "__type": "AccessDeniedException", + "Message": "You do not have sufficient access to perform this action." + } + +The following JSON body is returned if you use the `CreateUser` API and specify a user that already exists. + + + { + "__type": "ResourceExistsException", + "Message": "User already exists", + "Resource": "Alejandro-Rosalez", + "ResourceType": "User" + } + +### Available libraries + +AWS provides libraries, sample code, tutorials, and other resources for software developers who prefer to build applications using language-specific APIs instead of the command-line tools and Query API. These libraries provide basic functions (not included in the APIs), such as request authentication, request retries, and error handling so that it is easier to get started. See [Tools to build on AWS](https://aws.amazon.com/tools/?id=docs_gateway) + +For libraries and sample code in all languages, see [Sample code & libraries](http://aws.amazon.com/code). + +## Identity Providers + +AWS Transfer Family supports multiple identity provider types to authenticate and manage users. Each server can use only one authentication method, which must be selected when the server is created. + +Service Managed + + +With the `SERVICE_MANAGED` authentication method, user credentials are stored and managed within AWS Transfer Family. Users are authenticated using SSH public keys that are associated with their username on the server. + +Each user can have one or more SSH public keys stored in the service. When a client requests a file operation, it provides the username and SSH private key, which is authenticated against the stored public key. + +Directory Service + + +The `AWS_DIRECTORY_SERVICE` authentication method allows you to integrate with AWS Directory Service for Microsoft Active Directory (AWS Directory Service for Microsoft Active Directory). + +This option enables you to manage user authentication and access through your existing Active Directory groups. Users can authenticate using their Active Directory credentials. + +There is a default limit of 100 Active Directory groups per server, which can be increased to a maximum of 150 groups through a service limit increase. + +Lambda + + +The `AWS_LAMBDA` authentication method allows you to connect to a custom identity provider using AWS Lambda. + +This option provides flexibility to integrate with your existing identity management systems. The Lambda function is responsible for authenticating users and returning the appropriate access policies. + +Custom (API Gateway) + + +The `API_GATEWAY` authentication method (displayed as **Custom** in the console) allows you to use a custom authentication method that provides both user authentication and access control. + +This method relies on the Amazon API Gateway to use your API call from your identity provider to validate user requests. You might use this custom method to authenticate users against a directory service, a database name/password pair, or some other mechanism. + +For all authentication methods, users are assigned policies that define their access to Amazon S3 buckets or Amazon Elastic File System file systems. The server inherits the trust relationship from the user through an IAM role with an `AssumeRole` action, allowing it to perform file operations on behalf of the user. + +## Naming Conventions + +AWS Transfer Family uses standardized formats for resource identifiers and Amazon Resource Names (ARNs). Understanding these conventions is important when working with the AWS Transfer Family API. + +### ID Formats + +The following conventions are observed in AWS Transfer Family ID formats: + +Server IDs + +