aws-sdk-transfer 1.20.0 → 1.25.0

data/lib/aws-sdk-transfer/client_api.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -25,14 +27,18 @@ module Aws::Transfer
     DeleteServerRequest = Shapes::StructureShape.new(name: 'DeleteServerRequest')
     DeleteSshPublicKeyRequest = Shapes::StructureShape.new(name: 'DeleteSshPublicKeyRequest')
     DeleteUserRequest = Shapes::StructureShape.new(name: 'DeleteUserRequest')
+    DescribeSecurityPolicyRequest = Shapes::StructureShape.new(name: 'DescribeSecurityPolicyRequest')
+    DescribeSecurityPolicyResponse = Shapes::StructureShape.new(name: 'DescribeSecurityPolicyResponse')
     DescribeServerRequest = Shapes::StructureShape.new(name: 'DescribeServerRequest')
     DescribeServerResponse = Shapes::StructureShape.new(name: 'DescribeServerResponse')
     DescribeUserRequest = Shapes::StructureShape.new(name: 'DescribeUserRequest')
     DescribeUserResponse = Shapes::StructureShape.new(name: 'DescribeUserResponse')
+    DescribedSecurityPolicy = Shapes::StructureShape.new(name: 'DescribedSecurityPolicy')
     DescribedServer = Shapes::StructureShape.new(name: 'DescribedServer')
     DescribedUser = Shapes::StructureShape.new(name: 'DescribedUser')
     EndpointDetails = Shapes::StructureShape.new(name: 'EndpointDetails')
     EndpointType = Shapes::StringShape.new(name: 'EndpointType')
+    Fips = Shapes::BooleanShape.new(name: 'Fips')
     HomeDirectory = Shapes::StringShape.new(name: 'HomeDirectory')
     HomeDirectoryMapEntry = Shapes::StructureShape.new(name: 'HomeDirectoryMapEntry')
     HomeDirectoryMappings = Shapes::ListShape.new(name: 'HomeDirectoryMappings')
@@ -46,6 +52,8 @@ module Aws::Transfer
     InternalServiceError = Shapes::StructureShape.new(name: 'InternalServiceError')
     InvalidNextTokenException = Shapes::StructureShape.new(name: 'InvalidNextTokenException')
     InvalidRequestException = Shapes::StructureShape.new(name: 'InvalidRequestException')
+    ListSecurityPoliciesRequest = Shapes::StructureShape.new(name: 'ListSecurityPoliciesRequest')
+    ListSecurityPoliciesResponse = Shapes::StructureShape.new(name: 'ListSecurityPoliciesResponse')
     ListServersRequest = Shapes::StructureShape.new(name: 'ListServersRequest')
     ListServersResponse = Shapes::StructureShape.new(name: 'ListServersResponse')
     ListTagsForResourceRequest = Shapes::StructureShape.new(name: 'ListTagsForResourceRequest')
@@ -72,9 +80,14 @@ module Aws::Transfer
     Response = Shapes::StringShape.new(name: 'Response')
     RetryAfterSeconds = Shapes::StringShape.new(name: 'RetryAfterSeconds')
     Role = Shapes::StringShape.new(name: 'Role')
+    SecurityPolicyName = Shapes::StringShape.new(name: 'SecurityPolicyName')
+    SecurityPolicyNames = Shapes::ListShape.new(name: 'SecurityPolicyNames')
+    SecurityPolicyOption = Shapes::StringShape.new(name: 'SecurityPolicyOption')
+    SecurityPolicyOptions = Shapes::ListShape.new(name: 'SecurityPolicyOptions')
     ServerId = Shapes::StringShape.new(name: 'ServerId')
     ServiceErrorMessage = Shapes::StringShape.new(name: 'ServiceErrorMessage')
     ServiceUnavailableException = Shapes::StructureShape.new(name: 'ServiceUnavailableException')
+    SourceIp = Shapes::StringShape.new(name: 'SourceIp')
     SshPublicKey = Shapes::StructureShape.new(name: 'SshPublicKey')
     SshPublicKeyBody = Shapes::StringShape.new(name: 'SshPublicKeyBody')
     SshPublicKeyCount = Shapes::IntegerShape.new(name: 'SshPublicKeyCount')
@@ -123,6 +136,7 @@ module Aws::Transfer
     CreateServerRequest.add_member(:identity_provider_type, Shapes::ShapeRef.new(shape: IdentityProviderType, location_name: "IdentityProviderType"))
     CreateServerRequest.add_member(:logging_role, Shapes::ShapeRef.new(shape: Role, location_name: "LoggingRole"))
     CreateServerRequest.add_member(:protocols, Shapes::ShapeRef.new(shape: Protocols, location_name: "Protocols"))
+    CreateServerRequest.add_member(:security_policy_name, Shapes::ShapeRef.new(shape: SecurityPolicyName, location_name: "SecurityPolicyName"))
     CreateServerRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     CreateServerRequest.struct_class = Types::CreateServerRequest
 
@@ -156,6 +170,12 @@ module Aws::Transfer
     DeleteUserRequest.add_member(:user_name, Shapes::ShapeRef.new(shape: UserName, required: true, location_name: "UserName"))
     DeleteUserRequest.struct_class = Types::DeleteUserRequest
 
+    DescribeSecurityPolicyRequest.add_member(:security_policy_name, Shapes::ShapeRef.new(shape: SecurityPolicyName, required: true, location_name: "SecurityPolicyName"))
+    DescribeSecurityPolicyRequest.struct_class = Types::DescribeSecurityPolicyRequest
+
+    DescribeSecurityPolicyResponse.add_member(:security_policy, Shapes::ShapeRef.new(shape: DescribedSecurityPolicy, required: true, location_name: "SecurityPolicy"))
+    DescribeSecurityPolicyResponse.struct_class = Types::DescribeSecurityPolicyResponse
+
     DescribeServerRequest.add_member(:server_id, Shapes::ShapeRef.new(shape: ServerId, required: true, location_name: "ServerId"))
     DescribeServerRequest.struct_class = Types::DescribeServerRequest
 
@@ -170,6 +190,14 @@ module Aws::Transfer
     DescribeUserResponse.add_member(:user, Shapes::ShapeRef.new(shape: DescribedUser, required: true, location_name: "User"))
     DescribeUserResponse.struct_class = Types::DescribeUserResponse
 
+    DescribedSecurityPolicy.add_member(:fips, Shapes::ShapeRef.new(shape: Fips, location_name: "Fips"))
+    DescribedSecurityPolicy.add_member(:security_policy_name, Shapes::ShapeRef.new(shape: SecurityPolicyName, required: true, location_name: "SecurityPolicyName"))
+    DescribedSecurityPolicy.add_member(:ssh_ciphers, Shapes::ShapeRef.new(shape: SecurityPolicyOptions, location_name: "SshCiphers"))
+    DescribedSecurityPolicy.add_member(:ssh_kexs, Shapes::ShapeRef.new(shape: SecurityPolicyOptions, location_name: "SshKexs"))
+    DescribedSecurityPolicy.add_member(:ssh_macs, Shapes::ShapeRef.new(shape: SecurityPolicyOptions, location_name: "SshMacs"))
+    DescribedSecurityPolicy.add_member(:tls_ciphers, Shapes::ShapeRef.new(shape: SecurityPolicyOptions, location_name: "TlsCiphers"))
+    DescribedSecurityPolicy.struct_class = Types::DescribedSecurityPolicy
+
     DescribedServer.add_member(:arn, Shapes::ShapeRef.new(shape: Arn, required: true, location_name: "Arn"))
     DescribedServer.add_member(:certificate, Shapes::ShapeRef.new(shape: Certificate, location_name: "Certificate"))
     DescribedServer.add_member(:endpoint_details, Shapes::ShapeRef.new(shape: EndpointDetails, location_name: "EndpointDetails"))
@@ -179,6 +207,7 @@ module Aws::Transfer
     DescribedServer.add_member(:identity_provider_type, Shapes::ShapeRef.new(shape: IdentityProviderType, location_name: "IdentityProviderType"))
     DescribedServer.add_member(:logging_role, Shapes::ShapeRef.new(shape: Role, location_name: "LoggingRole"))
     DescribedServer.add_member(:protocols, Shapes::ShapeRef.new(shape: Protocols, location_name: "Protocols"))
+    DescribedServer.add_member(:security_policy_name, Shapes::ShapeRef.new(shape: SecurityPolicyName, location_name: "SecurityPolicyName"))
     DescribedServer.add_member(:server_id, Shapes::ShapeRef.new(shape: ServerId, location_name: "ServerId"))
     DescribedServer.add_member(:state, Shapes::ShapeRef.new(shape: State, location_name: "State"))
     DescribedServer.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
@@ -231,6 +260,14 @@ module Aws::Transfer
     InvalidRequestException.add_member(:message, Shapes::ShapeRef.new(shape: Message, required: true, location_name: "Message"))
     InvalidRequestException.struct_class = Types::InvalidRequestException
 
+    ListSecurityPoliciesRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
+    ListSecurityPoliciesRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "NextToken"))
+    ListSecurityPoliciesRequest.struct_class = Types::ListSecurityPoliciesRequest
+
+    ListSecurityPoliciesResponse.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "NextToken"))
+    ListSecurityPoliciesResponse.add_member(:security_policy_names, Shapes::ShapeRef.new(shape: SecurityPolicyNames, required: true, location_name: "SecurityPolicyNames"))
+    ListSecurityPoliciesResponse.struct_class = Types::ListSecurityPoliciesResponse
+
     ListServersRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
     ListServersRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "NextToken"))
     ListServersRequest.struct_class = Types::ListServersRequest
@@ -292,6 +329,10 @@ module Aws::Transfer
     ResourceNotFoundException.add_member(:resource_type, Shapes::ShapeRef.new(shape: ResourceType, required: true, location_name: "ResourceType"))
     ResourceNotFoundException.struct_class = Types::ResourceNotFoundException
 
+    SecurityPolicyNames.member = Shapes::ShapeRef.new(shape: SecurityPolicyName)
+
+    SecurityPolicyOptions.member = Shapes::ShapeRef.new(shape: SecurityPolicyOption)
+
     ServiceUnavailableException.add_member(:message, Shapes::ShapeRef.new(shape: ServiceErrorMessage, location_name: "Message"))
     ServiceUnavailableException.struct_class = Types::ServiceUnavailableException
 
@@ -323,9 +364,10 @@ module Aws::Transfer
     Tags.member = Shapes::ShapeRef.new(shape: Tag)
 
     TestIdentityProviderRequest.add_member(:server_id, Shapes::ShapeRef.new(shape: ServerId, required: true, location_name: "ServerId"))
+    TestIdentityProviderRequest.add_member(:server_protocol, Shapes::ShapeRef.new(shape: Protocol, location_name: "ServerProtocol"))
+    TestIdentityProviderRequest.add_member(:source_ip, Shapes::ShapeRef.new(shape: SourceIp, location_name: "SourceIp"))
     TestIdentityProviderRequest.add_member(:user_name, Shapes::ShapeRef.new(shape: UserName, required: true, location_name: "UserName"))
     TestIdentityProviderRequest.add_member(:user_password, Shapes::ShapeRef.new(shape: UserPassword, location_name: "UserPassword"))
-    TestIdentityProviderRequest.add_member(:server_protocol, Shapes::ShapeRef.new(shape: Protocol, location_name: "ServerProtocol"))
     TestIdentityProviderRequest.struct_class = Types::TestIdentityProviderRequest
 
     TestIdentityProviderResponse.add_member(:response, Shapes::ShapeRef.new(shape: Response, location_name: "Response"))
@@ -348,6 +390,7 @@ module Aws::Transfer
     UpdateServerRequest.add_member(:identity_provider_details, Shapes::ShapeRef.new(shape: IdentityProviderDetails, location_name: "IdentityProviderDetails"))
     UpdateServerRequest.add_member(:logging_role, Shapes::ShapeRef.new(shape: NullableRole, location_name: "LoggingRole"))
     UpdateServerRequest.add_member(:protocols, Shapes::ShapeRef.new(shape: Protocols, location_name: "Protocols"))
+    UpdateServerRequest.add_member(:security_policy_name, Shapes::ShapeRef.new(shape: SecurityPolicyName, location_name: "SecurityPolicyName"))
     UpdateServerRequest.add_member(:server_id, Shapes::ShapeRef.new(shape: ServerId, required: true, location_name: "ServerId"))
     UpdateServerRequest.struct_class = Types::UpdateServerRequest
 
@@ -452,6 +495,18 @@ module Aws::Transfer
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
       end)
 
+      api.add_operation(:describe_security_policy, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DescribeSecurityPolicy"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DescribeSecurityPolicyRequest)
+        o.output = Shapes::ShapeRef.new(shape: DescribeSecurityPolicyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+      end)
+
       api.add_operation(:describe_server, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DescribeServer"
         o.http_method = "POST"
@@ -490,6 +545,24 @@ module Aws::Transfer
         o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
       end)
 
+      api.add_operation(:list_security_policies, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "ListSecurityPolicies"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: ListSecurityPoliciesRequest)
+        o.output = Shapes::ShapeRef.new(shape: ListSecurityPoliciesResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceUnavailableException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidNextTokenException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
+        o[:pager] = Aws::Pager.new(
+          limit_key: "max_results",
+          tokens: {
+            "next_token" => "next_token"
+          }
+        )
+      end)
+
       api.add_operation(:list_servers, Seahorse::Model::Operation.new.tap do |o|
         o.name = "ListServers"
         o.http_method = "POST"

data/lib/aws-sdk-transfer/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-transfer/resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-transfer/types.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -17,6 +19,7 @@ module Aws::Transfer
     #
     class AccessDeniedException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -31,6 +34,7 @@ module Aws::Transfer
     #
     class ConflictException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -54,6 +58,7 @@ module Aws::Transfer
     #         identity_provider_type: "SERVICE_MANAGED", # accepts SERVICE_MANAGED, API_GATEWAY
     #         logging_role: "Role",
     #         protocols: ["SFTP"], # accepts SFTP, FTP, FTPS
+    #         security_policy_name: "SecurityPolicyName",
     #         tags: [
     #           {
     #             key: "TagKey", # required
@@ -65,6 +70,41 @@ module Aws::Transfer
     # @!attribute [rw] certificate
     #   The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM)
     #   certificate. Required when `Protocols` is set to `FTPS`.
+    #
+    #   To request a new public certificate, see [Request a public
+    #   certificate][1] in the <i> AWS Certificate Manager User Guide</i>.
+    #
+    #   To import an existing certificate into ACM, see [Importing
+    #   certificates into ACM][2] in the <i> AWS Certificate Manager User
+    #   Guide</i>.
+    #
+    #   To request a private certificate to use FTPS through private IP
+    #   addresses, see [Request a private certificate][3] in the <i> AWS
+    #   Certificate Manager User Guide</i>.
+    #
+    #   Certificates with the following cryptographic algorithms and key
+    #   sizes are supported:
+    #
+    #   * 2048-bit RSA (RSA\_2048)
+    #
+    #   * 4096-bit RSA (RSA\_4096)
+    #
+    #   * Elliptic Prime Curve 256 bit (EC\_prime256v1)
+    #
+    #   * Elliptic Prime Curve 384 bit (EC\_secp384r1)
+    #
+    #   * Elliptic Prime Curve 521 bit (EC\_secp521r1)
+    #
+    #   <note markdown="1"> The certificate must be a valid SSL/TLS X.509 version 3 certificate
+    #   with FQDN or IP address specified and information about the issuer.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
+    #   [2]: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
+    #   [3]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html
     #   @return [String]
     #
     # @!attribute [rw] endpoint_details
@@ -79,25 +119,33 @@ module Aws::Transfer
     # @!attribute [rw] endpoint_type
     #   The type of VPC endpoint that you want your file transfer
     #   protocol-enabled server to connect to. You can choose to connect to
-    #   the public internet or a virtual private cloud (VPC) endpoint. With
-    #   a VPC endpoint, you can restrict access to your server and resources
-    #   only within your VPC.
+    #   the public internet or a VPC endpoint. With a VPC endpoint, you can
+    #   restrict access to your server and resources only within your VPC.
+    #
+    #   <note markdown="1"> It is recommended that you use `VPC` as the `EndpointType`. With
+    #   this endpoint type, you have the option to directly associate up to
+    #   three Elastic IPv4 addresses (BYO IP included) with your server's
+    #   endpoint and use VPC security groups to restrict traffic by the
+    #   client's public IP address. This is not possible with
+    #   `EndpointType` set to `VPC_ENDPOINT`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] host_key
-    #   The RSA private key as generated by the `ssh-keygen -N "" -f
+    #   The RSA private key as generated by the `ssh-keygen -N "" -m PEM -f
     #   my-new-server-key` command.
     #
     #   If you aren't planning to migrate existing users from an existing
     #   SFTP-enabled server to a new server, don't update the host key.
     #   Accidentally changing a server's host key can be disruptive.
     #
-    #   For more information, see [Changing the Host Key for Your AWS
-    #   Transfer Family Server][1] in the *AWS Transfer Family User Guide*.
+    #   For more information, see [Change the host key for your SFTP-enabled
+    #   server][1] in the *AWS Transfer Family User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/transfer/latest/userguide/configuring-servers.html#change-host-key
+    #   [1]: https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html#configuring-servers-change-host-key
     #   @return [String]
     #
     # @!attribute [rw] identity_provider_details
@@ -128,15 +176,38 @@ module Aws::Transfer
     #   file transfer protocol client can connect to your server's
     #   endpoint. The available protocols are:
     #
-    #   * Secure Shell (SSH) File Transfer Protocol (SFTP): File transfer
+    #   * `SFTP` (Secure Shell (SSH) File Transfer Protocol): File transfer
     #     over SSH
     #
-    #   * File Transfer Protocol Secure (FTPS): File transfer with TLS
+    #   * `FTPS` (File Transfer Protocol Secure): File transfer with TLS
     #     encryption
     #
-    #   * File Transfer Protocol (FTP): Unencrypted file transfer
+    #   * `FTP` (File Transfer Protocol): Unencrypted file transfer
+    #
+    #   <note markdown="1"> If you select `FTPS`, you must choose a certificate stored in AWS
+    #   Certificate Manager (ACM) which will be used to identify your file
+    #   transfer protocol-enabled server when clients connect to it over
+    #   FTPS.
+    #
+    #    If `Protocol` includes either `FTP` or `FTPS`, then the
+    #   `EndpointType` must be `VPC` and the `IdentityProviderType` must be
+    #   `API_GATEWAY`.
+    #
+    #    If `Protocol` includes `FTP`, then `AddressAllocationIds` cannot be
+    #   associated.
+    #
+    #    If `Protocol` is set only to `SFTP`, the `EndpointType` can be set
+    #   to `PUBLIC` and the `IdentityProviderType` can be set to
+    #   `SERVICE_MANAGED`.
+    #
+    #    </note>
     #   @return [Array<String>]
     #
+    # @!attribute [rw] security_policy_name
+    #   Specifies the name of the security policy that is attached to the
+    #   server.
+    #   @return [String]
+    #
     # @!attribute [rw] tags
     #   Key-value pairs that can be used to group and search for file
     #   transfer protocol-enabled servers.
@@ -153,7 +224,9 @@ module Aws::Transfer
       :identity_provider_type,
       :logging_role,
       :protocols,
+      :security_policy_name,
       :tags)
+      SENSITIVE = [:host_key]
       include Aws::Structure
     end
 
@@ -166,6 +239,7 @@ module Aws::Transfer
     #
     class CreateServerResponse < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -198,7 +272,8 @@ module Aws::Transfer
     #   The landing directory (folder) for a user when they log in to the
     #   file transfer protocol-enabled server using the client.
     #
-    #   An example is `your-Amazon-S3-bucket-name>/home/username`.
+    #   An example is <i>
+    #   <code>your-Amazon-S3-bucket-name&gt;/home/username</code> </i>.
     #   @return [String]
     #
     # @!attribute [rw] home_directory_type
@@ -217,8 +292,8 @@ module Aws::Transfer
     #   visible. You will need to specify the "`Entry`" and "`Target`"
     #   pair, where `Entry` shows how the path is made visible and `Target`
     #   is the actual Amazon S3 path. If you only specify a target, it will
-    #   be displayed as is. You will need to also make sure that your AWS
-    #   IAM Role provides access to paths in `Target`. The following is an
+    #   be displayed as is. You will need to also make sure that your IAM
+    #   role provides access to paths in `Target`. The following is an
     #   example.
     #
     #   `'[ "/bucket2/documentation", \{ "Entry":
@@ -232,7 +307,7 @@ module Aws::Transfer
     #
     #   <note markdown="1"> If the target of a logical directory entry does not exist in Amazon
     #   S3, the entry will be ignored. As a workaround, you can use the
-    #   Amazon S3 api to create 0 byte objects as place holders for your
+    #   Amazon S3 API to create 0 byte objects as place holders for your
     #   directory. If using the CLI, use the `s3api` call instead of `s3` so
     #   you can use the put-object operation. For example, you use the
     #   following: `aws s3api put-object --bucket bucketname --key
@@ -254,8 +329,8 @@ module Aws::Transfer
     #   You save the policy as a JSON blob and pass it in the `Policy`
     #   argument.
     #
-    #    For an example of a scope-down policy, see [Creating a Scope-Down
-    #   Policy][1].
+    #    For an example of a scope-down policy, see [Creating a scope-down
+    #   policy][1].
     #
     #    For more information, see [AssumeRole][2] in the *AWS Security Token
     #   Service API Reference*.
@@ -297,9 +372,10 @@ module Aws::Transfer
     # @!attribute [rw] user_name
     #   A unique string that identifies a user and is associated with a file
     #   transfer protocol-enabled server as specified by the `ServerId`.
-    #   This user name must be a minimum of 3 and a maximum of 32 characters
-    #   long. The following are valid characters: a-z, A-Z, 0-9, underscore,
-    #   and hyphen. The user name can't start with a hyphen.
+    #   This user name must be a minimum of 3 and a maximum of 100
+    #   characters long. The following are valid characters: a-z, A-Z, 0-9,
+    #   underscore '\_', hyphen '-', period '.', and at sign '@'.
+    #   The user name can't start with a hyphen, period, and at sign.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/CreateUserRequest AWS API Documentation
@@ -314,6 +390,7 @@ module Aws::Transfer
       :ssh_public_key_body,
       :tags,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -332,6 +409,7 @@ module Aws::Transfer
     class CreateUserResponse < Struct.new(
       :server_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -351,6 +429,7 @@ module Aws::Transfer
     #
     class DeleteServerRequest < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -383,6 +462,7 @@ module Aws::Transfer
       :server_id,
       :ssh_public_key_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -409,6 +489,39 @@ module Aws::Transfer
     class DeleteUserRequest < Struct.new(
       :server_id,
       :user_name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass DescribeSecurityPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         security_policy_name: "SecurityPolicyName", # required
+    #       }
+    #
+    # @!attribute [rw] security_policy_name
+    #   Specifies the name of the security policy that is attached to the
+    #   server.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/DescribeSecurityPolicyRequest AWS API Documentation
+    #
+    class DescribeSecurityPolicyRequest < Struct.new(
+      :security_policy_name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] security_policy
+    #   An array containing the properties of the security policy.
+    #   @return [Types::DescribedSecurityPolicy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/DescribeSecurityPolicyResponse AWS API Documentation
+    #
+    class DescribeSecurityPolicyResponse < Struct.new(
+      :security_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -428,6 +541,7 @@ module Aws::Transfer
     #
     class DescribeServerRequest < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -440,6 +554,7 @@ module Aws::Transfer
     #
     class DescribeServerResponse < Struct.new(
       :server)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -468,6 +583,7 @@ module Aws::Transfer
     class DescribeUserRequest < Struct.new(
       :server_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -486,40 +602,92 @@ module Aws::Transfer
     class DescribeUserResponse < Struct.new(
       :server_id,
       :user)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Describes the properties of a security policy that was specified. For
+    # more information about security policies, see [Working with security
+    # policies][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/transfer/latest/userguide/security-policies.html
+    #
+    # @!attribute [rw] fips
+    #   Specifies whether this policy enables Federal Information Processing
+    #   Standards (FIPS).
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] security_policy_name
+    #   Specifies the name of the security policy that is attached to the
+    #   server.
+    #   @return [String]
+    #
+    # @!attribute [rw] ssh_ciphers
+    #   Specifies the enabled Secure Shell (SSH) cipher encryption
+    #   algorithms in the security policy that is attached to the server.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] ssh_kexs
+    #   Specifies the enabled SSH key exchange (KEX) encryption algorithms
+    #   in the security policy that is attached to the server.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] ssh_macs
+    #   Specifies the enabled SSH message authentication code (MAC)
+    #   encryption algorithms in the security policy that is attached to the
+    #   server.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] tls_ciphers
+    #   Specifies the enabled Transport Layer Security (TLS) cipher
+    #   encryption algorithms in the security policy that is attached to the
+    #   server.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/DescribedSecurityPolicy AWS API Documentation
+    #
+    class DescribedSecurityPolicy < Struct.new(
+      :fips,
+      :security_policy_name,
+      :ssh_ciphers,
+      :ssh_kexs,
+      :ssh_macs,
+      :tls_ciphers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Describes the properties of a file transfer protocol-enabled server
-    # that was specified. Information returned includes the following: the
-    # server Amazon Resource Name (ARN), the authentication configuration
-    # and type, the logging role, the server ID and state, and assigned tags
-    # or metadata.
+    # that was specified.
     #
     # @!attribute [rw] arn
-    #   Specifies the unique Amazon Resource Name (ARN) for a file transfer
-    #   protocol-enabled server to be described.
+    #   Specifies the unique Amazon Resource Name (ARN) of the file transfer
+    #   protocol-enabled server.
     #   @return [String]
     #
     # @!attribute [rw] certificate
-    #   The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM)
-    #   certificate. Required when `Protocols` is set to `FTPS`.
+    #   Specifies the ARN of the AWS Certificate Manager (ACM) certificate.
+    #   Required when `Protocols` is set to `FTPS`.
     #   @return [String]
     #
     # @!attribute [rw] endpoint_details
-    #   The virtual private cloud (VPC) endpoint settings that you
+    #   Specifies the virtual private cloud (VPC) endpoint settings that you
     #   configured for your file transfer protocol-enabled server.
     #   @return [Types::EndpointDetails]
     #
     # @!attribute [rw] endpoint_type
-    #   The type of endpoint that your file transfer protocol-enabled server
-    #   is connected to. If your server is connected to a VPC endpoint, your
-    #   server isn't accessible over the public internet.
+    #   Defines the type of endpoint that your file transfer
+    #   protocol-enabled server is connected to. If your server is connected
+    #   to a VPC endpoint, your server isn't accessible over the public
+    #   internet.
     #   @return [String]
     #
     # @!attribute [rw] host_key_fingerprint
-    #   Contains the message-digest algorithm (MD5) hash of a file transfer
-    #   protocol-enabled server's host key. This value is equivalent to the
-    #   output of the `ssh-keygen -l -E md5 -f my-new-server-key` command.
+    #   Specifies the Base64-encoded SHA256 fingerprint of the server's
+    #   host key. This value is equivalent to the output of the `ssh-keygen
+    #   -l -f my-new-server-key` command.
     #   @return [String]
     #
     # @!attribute [rw] identity_provider_details
@@ -529,19 +697,19 @@ module Aws::Transfer
     #   @return [Types::IdentityProviderDetails]
     #
     # @!attribute [rw] identity_provider_type
-    #   Defines the mode of authentication method enabled for this service.
-    #   A value of `SERVICE_MANAGED` means that you are using this file
-    #   transfer protocol-enabled server to store and access user
+    #   Specifies the mode of authentication method enabled for this
+    #   service. A value of `SERVICE_MANAGED` means that you are using this
+    #   file transfer protocol-enabled server to store and access user
     #   credentials within the service. A value of `API_GATEWAY` indicates
     #   that you have integrated an API Gateway endpoint that will be
     #   invoked for authenticating your user into the service.
     #   @return [String]
     #
     # @!attribute [rw] logging_role
-    #   An AWS Identity and Access Management (IAM) entity that allows a
-    #   file transfer protocol-enabled server to turn on Amazon CloudWatch
-    #   logging for Amazon S3 events. When set, user activity can be viewed
-    #   in your CloudWatch logs.
+    #   Specifies the AWS Identity and Access Management (IAM) role that
+    #   allows a file transfer protocol-enabled server to turn on Amazon
+    #   CloudWatch logging for Amazon S3 events. When set, user activity can
+    #   be viewed in your CloudWatch logs.
     #   @return [String]
     #
     # @!attribute [rw] protocols
@@ -549,25 +717,30 @@ module Aws::Transfer
     #   file transfer protocol client can connect to your server's
     #   endpoint. The available protocols are:
     #
-    #   * Secure Shell (SSH) File Transfer Protocol (SFTP): File transfer
+    #   * `SFTP` (Secure Shell (SSH) File Transfer Protocol): File transfer
     #     over SSH
     #
-    #   * File Transfer Protocol Secure (FTPS): File transfer with TLS
+    #   * `FTPS` (File Transfer Protocol Secure): File transfer with TLS
     #     encryption
     #
-    #   * File Transfer Protocol (FTP): Unencrypted file transfer
+    #   * `FTP` (File Transfer Protocol): Unencrypted file transfer
     #   @return [Array<String>]
     #
+    # @!attribute [rw] security_policy_name
+    #   Specifies the name of the security policy that is attached to the
+    #   server.
+    #   @return [String]
+    #
     # @!attribute [rw] server_id
-    #   Unique system-assigned identifier for a file transfer
+    #   Specifies the unique system-assigned identifier for a file transfer
     #   protocol-enabled server that you instantiate.
     #   @return [String]
     #
     # @!attribute [rw] state
-    #   The condition of a file transfer protocol-enabled server for the
-    #   server that was described. A value of `ONLINE` indicates that the
-    #   server can accept jobs and transfer files. A `State` value of
-    #   `OFFLINE` means that the server cannot perform file transfer
+    #   Specifies the condition of a file transfer protocol-enabled server
+    #   for the server that was described. A value of `ONLINE` indicates
+    #   that the server can accept jobs and transfer files. A `State` value
+    #   of `OFFLINE` means that the server cannot perform file transfer
     #   operations.
     #
     #   The states of `STARTING` and `STOPPING` indicate that the server is
@@ -577,13 +750,13 @@ module Aws::Transfer
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   Contains the key-value pairs that you can use to search for and
+    #   Specifies the key-value pairs that you can use to search for and
     #   group file transfer protocol-enabled servers that were assigned to
     #   the server that was described.
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] user_count
-    #   The number of users that are assigned to a file transfer
+    #   Specifies the number of users that are assigned to a file transfer
     #   protocol-enabled server you specified with the `ServerId`.
     #   @return [Integer]
     #
@@ -599,35 +772,38 @@ module Aws::Transfer
       :identity_provider_type,
       :logging_role,
       :protocols,
+      :security_policy_name,
       :server_id,
       :state,
       :tags,
       :user_count)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # Returns properties of the user that you want to describe.
+    # Describes the properties of a user that was specified.
     #
     # @!attribute [rw] arn
-    #   Contains the unique Amazon Resource Name (ARN) for the user that was
-    #   requested to be described.
+    #   Specifies the unique Amazon Resource Name (ARN) for the user that
+    #   was requested to be described.
     #   @return [String]
     #
     # @!attribute [rw] home_directory
     #   Specifies the landing directory (or folder), which is the location
-    #   that files are written to or read from in an Amazon S3 bucket for
-    #   the described user. An example is `/your s3 bucket
-    #   name/home/username `.
+    #   that files are written to or read from in an Amazon S3 bucket, for
+    #   the described user. An example is <i>
+    #   <code>your-Amazon-S3-bucket-name&gt;/home/username</code> </i>.
     #   @return [String]
     #
     # @!attribute [rw] home_directory_mappings
-    #   Logical directory mappings that you specified for what Amazon S3
+    #   Specifies the logical directory mappings that specify what Amazon S3
     #   paths and keys should be visible to your user and how you want to
     #   make them visible. You will need to specify the "`Entry`" and
     #   "`Target`" pair, where `Entry` shows how the path is made visible
     #   and `Target` is the actual Amazon S3 path. If you only specify a
     #   target, it will be displayed as is. You will need to also make sure
-    #   that your AWS IAM Role provides access to paths in `Target`.
+    #   that your AWS Identity and Access Management (IAM) role provides
+    #   access to paths in `Target`.
     #
     #   In most cases, you can use this value instead of the scope-down
     #   policy to lock your user down to the designated home directory
@@ -636,13 +812,13 @@ module Aws::Transfer
     #   @return [Array<Types::HomeDirectoryMapEntry>]
     #
     # @!attribute [rw] home_directory_type
-    #   The type of landing directory (folder) you mapped for your users to
-    #   see when they log into the file transfer protocol-enabled server. If
-    #   you set it to `PATH`, the user will see the absolute Amazon S3
-    #   bucket paths as is in their file transfer protocol clients. If you
-    #   set it `LOGICAL`, you will need to provide mappings in the
-    #   `HomeDirectoryMappings` for how you want to make Amazon S3 paths
-    #   visible to your users.
+    #   Specifies the type of landing directory (folder) you mapped for your
+    #   users to see when they log into the file transfer protocol-enabled
+    #   server. If you set it to `PATH`, the user will see the absolute
+    #   Amazon S3 bucket paths as is in their file transfer protocol
+    #   clients. If you set it `LOGICAL`, you will need to provide mappings
+    #   in the `HomeDirectoryMappings` for how you want to make Amazon S3
+    #   paths visible to your users.
     #   @return [String]
     #
     # @!attribute [rw] policy
@@ -660,20 +836,20 @@ module Aws::Transfer
     #   @return [String]
     #
     # @!attribute [rw] ssh_public_keys
-    #   Contains the public key portion of the Secure Shell (SSH) keys
+    #   Specifies the public key portion of the Secure Shell (SSH) keys
     #   stored for the described user.
     #   @return [Array<Types::SshPublicKey>]
     #
     # @!attribute [rw] tags
-    #   Contains the key-value pairs for the user requested. Tag can be used
-    #   to search for and group users for a variety of purposes.
+    #   Specifies the key-value pairs for the user requested. Tag can be
+    #   used to search for and group users for a variety of purposes.
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] user_name
-    #   The name of the user that was requested to be described. User names
-    #   are used for authentication purposes. This is the string that will
-    #   be used by your user when they log in to your file transfer
-    #   protocol-enabled server.
+    #   Specifies the name of the user that was requested to be described.
+    #   User names are used for authentication purposes. This is the string
+    #   that will be used by your user when they log in to your file
+    #   transfer protocol-enabled server.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/DescribedUser AWS API Documentation
@@ -688,6 +864,7 @@ module Aws::Transfer
       :ssh_public_keys,
       :tags,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -720,15 +897,28 @@ module Aws::Transfer
     # @!attribute [rw] subnet_ids
     #   A list of subnet IDs that are required to host your file transfer
     #   protocol-enabled server endpoint in your VPC.
+    #
+    #   <note markdown="1"> This property can only be used when `EndpointType` is set to `VPC`.
+    #
+    #    </note>
     #   @return [Array<String>]
     #
     # @!attribute [rw] vpc_endpoint_id
     #   The ID of the VPC endpoint.
+    #
+    #   <note markdown="1"> This property can only be used when `EndpointType` is set to
+    #   `VPC_ENDPOINT`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] vpc_id
     #   The VPC ID of the VPC in which a file transfer protocol-enabled
     #   server's endpoint will be hosted.
+    #
+    #   <note markdown="1"> This property can only be used when `EndpointType` is set to `VPC`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/EndpointDetails AWS API Documentation
@@ -738,10 +928,11 @@ module Aws::Transfer
       :subnet_ids,
       :vpc_endpoint_id,
       :vpc_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # Represents an object that contains entries and a targets for
+    # Represents an object that contains entries and targets for
     # `HomeDirectoryMappings`.
     #
     # @note When making an API call, you may pass HomeDirectoryMapEntry
@@ -765,6 +956,7 @@ module Aws::Transfer
     class HomeDirectoryMapEntry < Struct.new(
       :entry,
       :target)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -781,7 +973,7 @@ module Aws::Transfer
     #       }
     #
     # @!attribute [rw] url
-    #   Contains the location of the service endpoint used to authenticate
+    #   Provides the location of the service endpoint used to authenticate
     #   users.
     #   @return [String]
     #
@@ -795,6 +987,7 @@ module Aws::Transfer
     class IdentityProviderDetails < Struct.new(
       :url,
       :invocation_role)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -827,6 +1020,7 @@ module Aws::Transfer
       :server_id,
       :ssh_public_key_body,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -854,6 +1048,7 @@ module Aws::Transfer
       :server_id,
       :ssh_public_key_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -867,6 +1062,7 @@ module Aws::Transfer
     #
     class InternalServiceError < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -879,6 +1075,7 @@ module Aws::Transfer
     #
     class InvalidNextTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -891,6 +1088,56 @@ module Aws::Transfer
     #
     class InvalidRequestException < Struct.new(
       :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListSecurityPoliciesRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "NextToken",
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   Specifies the number of security policies to return as a response to
+    #   the `ListSecurityPolicies` query.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   When additional results are obtained from the `ListSecurityPolicies`
+    #   command, a `NextToken` parameter is returned in the output. You can
+    #   then pass the `NextToken` parameter in a subsequent command to
+    #   continue listing additional security policies.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/ListSecurityPoliciesRequest AWS API Documentation
+    #
+    class ListSecurityPoliciesRequest < Struct.new(
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   When you can get additional results from the `ListSecurityPolicies`
+    #   operation, a `NextToken` parameter is returned in the output. In a
+    #   following command, you can pass in the `NextToken` parameter to
+    #   continue listing security policies.
+    #   @return [String]
+    #
+    # @!attribute [rw] security_policy_names
+    #   An array of security policies that were listed.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/ListSecurityPoliciesResponse AWS API Documentation
+    #
+    class ListSecurityPoliciesResponse < Struct.new(
+      :next_token,
+      :security_policy_names)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -908,7 +1155,7 @@ module Aws::Transfer
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
-    #   When additional results are obtained from the`ListServers` command,
+    #   When additional results are obtained from the `ListServers` command,
     #   a `NextToken` parameter is returned in the output. You can then pass
     #   the `NextToken` parameter in a subsequent command to continue
     #   listing additional file transfer protocol-enabled servers.
@@ -919,6 +1166,7 @@ module Aws::Transfer
     class ListServersRequest < Struct.new(
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -938,6 +1186,7 @@ module Aws::Transfer
     class ListServersResponse < Struct.new(
       :next_token,
       :servers)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -974,6 +1223,7 @@ module Aws::Transfer
       :arn,
       :max_results,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1000,6 +1250,7 @@ module Aws::Transfer
       :arn,
       :next_token,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1035,6 +1286,7 @@ module Aws::Transfer
       :max_results,
       :next_token,
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1061,6 +1313,7 @@ module Aws::Transfer
       :next_token,
       :server_id,
       :users)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1068,37 +1321,38 @@ module Aws::Transfer
     # specified.
     #
     # @!attribute [rw] arn
-    #   The unique Amazon Resource Name (ARN) for a file transfer
+    #   Specifies the unique Amazon Resource Name (ARN) for a file transfer
     #   protocol-enabled server to be listed.
     #   @return [String]
     #
     # @!attribute [rw] identity_provider_type
-    #   The authentication method used to validate a user for a file
-    #   transfer protocol-enabled server that was specified. This can
+    #   Specifies the authentication method used to validate a user for a
+    #   file transfer protocol-enabled server that was specified. This can
     #   include Secure Shell (SSH), user name and password combinations, or
     #   your own custom authentication method. Valid values include
     #   `SERVICE_MANAGED` or `API_GATEWAY`.
     #   @return [String]
     #
     # @!attribute [rw] endpoint_type
-    #   The type of VPC endpoint that your file transfer protocol-enabled
-    #   server is connected to. If your server is connected to a VPC
-    #   endpoint, your server isn't accessible over the public internet.
+    #   Specifies the type of VPC endpoint that your file transfer
+    #   protocol-enabled server is connected to. If your server is connected
+    #   to a VPC endpoint, your server isn't accessible over the public
+    #   internet.
     #   @return [String]
     #
     # @!attribute [rw] logging_role
-    #   The AWS Identity and Access Management (IAM) entity that allows a
-    #   file transfer protocol-enabled server to turn on Amazon CloudWatch
-    #   logging.
+    #   Specifies the AWS Identity and Access Management (IAM) role that
+    #   allows a file transfer protocol-enabled server to turn on Amazon
+    #   CloudWatch logging.
     #   @return [String]
     #
     # @!attribute [rw] server_id
-    #   The unique system assigned identifier for a file transfer
+    #   Specifies the unique system assigned identifier for a file transfer
     #   protocol-enabled servers that were listed.
     #   @return [String]
     #
     # @!attribute [rw] state
-    #   Describes the condition of a file transfer protocol-enabled server
+    #   Specifies the condition of a file transfer protocol-enabled server
     #   for the server that was described. A value of `ONLINE` indicates
     #   that the server can accept jobs and transfer files. A `State` value
     #   of `OFFLINE` means that the server cannot perform file transfer
@@ -1111,9 +1365,8 @@ module Aws::Transfer
     #   @return [String]
     #
     # @!attribute [rw] user_count
-    #   A numeric value that indicates the number of users that are assigned
-    #   to a file transfer protocol-enabled server you specified with the
-    #   `ServerId`.
+    #   Specifies the number of users that are assigned to a file transfer
+    #   protocol-enabled server you specified with the `ServerId`.
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/ListedServer AWS API Documentation
@@ -1126,14 +1379,15 @@ module Aws::Transfer
       :server_id,
       :state,
       :user_count)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Returns properties of the user that you specify.
     #
     # @!attribute [rw] arn
-    #   The unique Amazon Resource Name (ARN) for the user that you want to
-    #   learn about.
+    #   Provides the unique Amazon Resource Name (ARN) for the user that you
+    #   want to learn about.
     #   @return [String]
     #
     # @!attribute [rw] home_directory
@@ -1142,29 +1396,31 @@ module Aws::Transfer
     #   @return [String]
     #
     # @!attribute [rw] home_directory_type
-    #   The type of landing directory (folder) you mapped for your users'
-    #   home directory. If you set it to `PATH`, the user will see the
-    #   absolute Amazon S3 bucket paths as is in their file transfer
+    #   Specifies the type of landing directory (folder) you mapped for your
+    #   users' home directory. If you set it to `PATH`, the user will see
+    #   the absolute Amazon S3 bucket paths as is in their file transfer
     #   protocol clients. If you set it `LOGICAL`, you will need to provide
     #   mappings in the `HomeDirectoryMappings` for how you want to make
     #   Amazon S3 paths visible to your users.
     #   @return [String]
     #
     # @!attribute [rw] role
-    #   The role in use by this user. A *role* is an AWS Identity and Access
-    #   Management (IAM) entity that, in this case, allows a file transfer
-    #   protocol-enabled server to act on a user's behalf. It allows the
-    #   server to inherit the trust relationship that enables that user to
-    #   perform file operations to their Amazon S3 bucket.
+    #   Specifies the role that is in use by this user. A *role* is an AWS
+    #   Identity and Access Management (IAM) entity that, in this case,
+    #   allows a file transfer protocol-enabled server to act on a user's
+    #   behalf. It allows the server to inherit the trust relationship that
+    #   enables that user to perform file operations to their Amazon S3
+    #   bucket.
     #   @return [String]
     #
     # @!attribute [rw] ssh_public_key_count
-    #   The number of SSH public keys stored for the user you specified.
+    #   Specifies the number of SSH public keys stored for the user you
+    #   specified.
     #   @return [Integer]
     #
     # @!attribute [rw] user_name
-    #   The name of the user whose ARN was specified. User names are used
-    #   for authentication purposes.
+    #   Specifies the name of the user whose ARN was specified. User names
+    #   are used for authentication purposes.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/ListedUser AWS API Documentation
@@ -1176,6 +1432,7 @@ module Aws::Transfer
       :role,
       :ssh_public_key_count,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1196,6 +1453,7 @@ module Aws::Transfer
       :message,
       :resource,
       :resource_type)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1217,6 +1475,7 @@ module Aws::Transfer
       :message,
       :resource,
       :resource_type)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1230,6 +1489,7 @@ module Aws::Transfer
     #
     class ServiceUnavailableException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1241,16 +1501,18 @@ module Aws::Transfer
     # public key associated with their user name on a specific server.
     #
     # @!attribute [rw] date_imported
-    #   The date that the public key was added to the user account.
+    #   Specifies the date that the public key was added to the user
+    #   account.
     #   @return [Time]
     #
     # @!attribute [rw] ssh_public_key_body
-    #   The content of the SSH public key as specified by the `PublicKeyId`.
+    #   Specifies the content of the SSH public key as specified by the
+    #   `PublicKeyId`.
     #   @return [String]
     #
     # @!attribute [rw] ssh_public_key_id
-    #   The `SshPublicKeyId` parameter contains the identifier of the public
-    #   key.
+    #   Specifies the `SshPublicKeyId` parameter contains the identifier of
+    #   the public key.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/SshPublicKey AWS API Documentation
@@ -1259,6 +1521,7 @@ module Aws::Transfer
       :date_imported,
       :ssh_public_key_body,
       :ssh_public_key_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1278,6 +1541,7 @@ module Aws::Transfer
     #
     class StartServerRequest < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1297,6 +1561,7 @@ module Aws::Transfer
     #
     class StopServerRequest < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1329,6 +1594,7 @@ module Aws::Transfer
     class Tag < Struct.new(
       :key,
       :value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1361,6 +1627,7 @@ module Aws::Transfer
     class TagResourceRequest < Struct.new(
       :arn,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1369,9 +1636,10 @@ module Aws::Transfer
     #
     #       {
     #         server_id: "ServerId", # required
+    #         server_protocol: "SFTP", # accepts SFTP, FTP, FTPS
+    #         source_ip: "SourceIp",
     #         user_name: "UserName", # required
     #         user_password: "UserPassword",
-    #         server_protocol: "SFTP", # accepts SFTP, FTP, FTPS
     #       }
     #
     # @!attribute [rw] server_id
@@ -1380,14 +1648,6 @@ module Aws::Transfer
     #   is tested with a user name and password.
     #   @return [String]
     #
-    # @!attribute [rw] user_name
-    #   The name of the user account to be tested.
-    #   @return [String]
-    #
-    # @!attribute [rw] user_password
-    #   The password of the user account to be tested.
-    #   @return [String]
-    #
     # @!attribute [rw] server_protocol
     #   The type of file transfer protocol to be tested.
     #
@@ -1400,13 +1660,27 @@ module Aws::Transfer
     #   * File Transfer Protocol (FTP)
     #   @return [String]
     #
+    # @!attribute [rw] source_ip
+    #   The source IP address of the user account to be tested.
+    #   @return [String]
+    #
+    # @!attribute [rw] user_name
+    #   The name of the user account to be tested.
+    #   @return [String]
+    #
+    # @!attribute [rw] user_password
+    #   The password of the user account to be tested.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/TestIdentityProviderRequest AWS API Documentation
     #
     class TestIdentityProviderRequest < Struct.new(
       :server_id,
+      :server_protocol,
+      :source_ip,
       :user_name,
-      :user_password,
-      :server_protocol)
+      :user_password)
+      SENSITIVE = [:user_password]
       include Aws::Structure
     end
 
@@ -1433,6 +1707,7 @@ module Aws::Transfer
       :status_code,
       :message,
       :url)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1447,6 +1722,7 @@ module Aws::Transfer
     #
     class ThrottlingException < Struct.new(
       :retry_after_seconds)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1475,6 +1751,7 @@ module Aws::Transfer
     class UntagResourceRequest < Struct.new(
       :arn,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1497,12 +1774,48 @@ module Aws::Transfer
     #         },
     #         logging_role: "NullableRole",
     #         protocols: ["SFTP"], # accepts SFTP, FTP, FTPS
+    #         security_policy_name: "SecurityPolicyName",
     #         server_id: "ServerId", # required
     #       }
     #
     # @!attribute [rw] certificate
     #   The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM)
     #   certificate. Required when `Protocols` is set to `FTPS`.
+    #
+    #   To request a new public certificate, see [Request a public
+    #   certificate][1] in the <i> AWS Certificate Manager User Guide</i>.
+    #
+    #   To import an existing certificate into ACM, see [Importing
+    #   certificates into ACM][2] in the <i> AWS Certificate Manager User
+    #   Guide</i>.
+    #
+    #   To request a private certificate to use FTPS through private IP
+    #   addresses, see [Request a private certificate][3] in the <i> AWS
+    #   Certificate Manager User Guide</i>.
+    #
+    #   Certificates with the following cryptographic algorithms and key
+    #   sizes are supported:
+    #
+    #   * 2048-bit RSA (RSA\_2048)
+    #
+    #   * 4096-bit RSA (RSA\_4096)
+    #
+    #   * Elliptic Prime Curve 256 bit (EC\_prime256v1)
+    #
+    #   * Elliptic Prime Curve 384 bit (EC\_secp384r1)
+    #
+    #   * Elliptic Prime Curve 521 bit (EC\_secp521r1)
+    #
+    #   <note markdown="1"> The certificate must be a valid SSL/TLS X.509 version 3 certificate
+    #   with FQDN or IP address specified and information about the issuer.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
+    #   [2]: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
+    #   [3]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html
     #   @return [String]
     #
     # @!attribute [rw] endpoint_details
@@ -1517,12 +1830,21 @@ module Aws::Transfer
     # @!attribute [rw] endpoint_type
     #   The type of endpoint that you want your file transfer
     #   protocol-enabled server to connect to. You can choose to connect to
-    #   the public internet or a VPC endpoint. With a VPC endpoint, your
-    #   server isn't accessible over the public internet.
+    #   the public internet or a VPC endpoint. With a VPC endpoint, you can
+    #   restrict access to your server and resources only within your VPC.
+    #
+    #   <note markdown="1"> It is recommended that you use `VPC` as the `EndpointType`. With
+    #   this endpoint type, you have the option to directly associate up to
+    #   three Elastic IPv4 addresses (BYO IP included) with your server's
+    #   endpoint and use VPC security groups to restrict traffic by the
+    #   client's public IP address. This is not possible with
+    #   `EndpointType` set to `VPC_ENDPOINT`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] host_key
-    #   The RSA private key as generated by `ssh-keygen -N "" -f
+    #   The RSA private key as generated by `ssh-keygen -N "" -m PEM -f
     #   my-new-server-key`.
     #
     #   If you aren't planning to migrate existing users from an existing
@@ -1530,12 +1852,12 @@ module Aws::Transfer
     #   the host key. Accidentally changing a server's host key can be
     #   disruptive.
     #
-    #   For more information, see [Changing the Host Key for Your AWS
-    #   Transfer Family Server][1] in the *AWS Transfer Family User Guide*.
+    #   For more information, see [Change the host key for your SFTP-enabled
+    #   server][1] in the *AWS Transfer Family User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/transfer/latest/userguide/configuring-servers.html#change-host-key
+    #   [1]: https://docs.aws.amazon.com/transfer/latest/userguide/edit-server-config.html#configuring-servers-change-host-key
     #   @return [String]
     #
     # @!attribute [rw] identity_provider_details
@@ -1561,8 +1883,30 @@ module Aws::Transfer
     #     encryption
     #
     #   * File Transfer Protocol (FTP): Unencrypted file transfer
+    #
+    #   <note markdown="1"> If you select `FTPS`, you must choose a certificate stored in AWS
+    #   Certificate Manager (ACM) which will be used to identify your server
+    #   when clients connect to it over FTPS.
+    #
+    #    If `Protocol` includes either `FTP` or `FTPS`, then the
+    #   `EndpointType` must be `VPC` and the `IdentityProviderType` must be
+    #   `API_GATEWAY`.
+    #
+    #    If `Protocol` includes `FTP`, then `AddressAllocationIds` cannot be
+    #   associated.
+    #
+    #    If `Protocol` is set only to `SFTP`, the `EndpointType` can be set
+    #   to `PUBLIC` and the `IdentityProviderType` can be set to
+    #   `SERVICE_MANAGED`.
+    #
+    #    </note>
     #   @return [Array<String>]
     #
+    # @!attribute [rw] security_policy_name
+    #   Specifies the name of the security policy that is attached to the
+    #   server.
+    #   @return [String]
+    #
     # @!attribute [rw] server_id
     #   A system-assigned unique identifier for a file transfer
     #   protocol-enabled server instance that the user account is assigned
@@ -1579,7 +1923,9 @@ module Aws::Transfer
       :identity_provider_details,
       :logging_role,
       :protocols,
+      :security_policy_name,
       :server_id)
+      SENSITIVE = [:host_key]
       include Aws::Structure
     end
 
@@ -1592,6 +1938,7 @@ module Aws::Transfer
     #
     class UpdateServerResponse < Struct.new(
       :server_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1637,8 +1984,8 @@ module Aws::Transfer
     #   visible. You will need to specify the "`Entry`" and "`Target`"
     #   pair, where `Entry` shows how the path is made visible and `Target`
     #   is the actual Amazon S3 path. If you only specify a target, it will
-    #   be displayed as is. You will need to also make sure that your AWS
-    #   IAM Role provides access to paths in `Target`. The following is an
+    #   be displayed as is. You will need to also make sure that your IAM
+    #   role provides access to paths in `Target`. The following is an
     #   example.
     #
     #   `'[ "/bucket2/documentation", \{ "Entry":
@@ -1652,7 +1999,7 @@ module Aws::Transfer
     #
     #   <note markdown="1"> If the target of a logical directory entry does not exist in Amazon
     #   S3, the entry will be ignored. As a workaround, you can use the
-    #   Amazon S3 api to create 0 byte objects as place holders for your
+    #   Amazon S3 API to create 0 byte objects as place holders for your
     #   directory. If using the CLI, use the `s3api` call instead of `s3` so
     #   you can use the put-object operation. For example, you use the
     #   following: `aws s3api put-object --bucket bucketname --key
@@ -1664,19 +2011,18 @@ module Aws::Transfer
     #
     # @!attribute [rw] policy
     #   Allows you to supply a scope-down policy for your user so you can
-    #   use the same AWS Identity and Access Management (IAM) role across
-    #   multiple users. The policy scopes down user access to portions of
-    #   your Amazon S3 bucket. Variables you can use inside this policy
-    #   include `$\{Transfer:UserName\}`, `$\{Transfer:HomeDirectory\}`, and
-    #   `$\{Transfer:HomeBucket\}`.
+    #   use the same IAM role across multiple users. The policy scopes down
+    #   user access to portions of your Amazon S3 bucket. Variables you can
+    #   use inside this policy include `$\{Transfer:UserName\}`,
+    #   `$\{Transfer:HomeDirectory\}`, and `$\{Transfer:HomeBucket\}`.
     #
     #   <note markdown="1"> For scope-down policies, AWS Transfer Family stores the policy as a
     #   JSON blob, instead of the Amazon Resource Name (ARN) of the policy.
     #   You save the policy as a JSON blob and pass it in the `Policy`
     #   argument.
     #
-    #    For an example of a scope-down policy, see [Creating a Scope-Down
-    #   Policy][1].
+    #    For an example of a scope-down policy, see [Creating a scope-down
+    #   policy][1].
     #
     #    For more information, see [AssumeRole][2] in the *AWS Security Token
     #   Service API Reference*.
@@ -1708,10 +2054,10 @@ module Aws::Transfer
     # @!attribute [rw] user_name
     #   A unique string that identifies a user and is associated with a file
     #   transfer protocol-enabled server as specified by the `ServerId`.
-    #   This is the string that will be used by your user when they log in
-    #   to your server. This user name is a minimum of 3 and a maximum of 32
+    #   This user name must be a minimum of 3 and a maximum of 100
     #   characters long. The following are valid characters: a-z, A-Z, 0-9,
-    #   underscore, and hyphen. The user name can't start with a hyphen.
+    #   underscore '\_', hyphen '-', period '.', and at sign '@'.
+    #   The user name can't start with a hyphen, period, and at sign.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/transfer-2018-11-05/UpdateUserRequest AWS API Documentation
@@ -1724,6 +2070,7 @@ module Aws::Transfer
       :role,
       :server_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1747,6 +2094,7 @@ module Aws::Transfer
     class UpdateUserResponse < Struct.new(
       :server_id,
       :user_name)
+      SENSITIVE = []
       include Aws::Structure
     end