aws-cdk-lib 2.90.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

aws_cdk/aws_transfer/__init__.py

@@ -106,7 +106,7 @@ class CfnAgreement(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param access_role: With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
+        :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
         :param base_directory: The landing directory (folder) for files that are transferred by using the AS2 protocol.
         :param local_profile_id: A unique identifier for the AS2 local profile.
         :param partner_profile_id: A unique identifier for the partner profile used in the agreement.
@@ -194,7 +194,7 @@ class CfnAgreement(
     @builtins.property
     @jsii.member(jsii_name="accessRole")
     def access_role(self) -> builtins.str:
-        '''With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` .'''
+        '''Connectors are used to send files using either the AS2 or SFTP protocol.'''
         return typing.cast(builtins.str, jsii.get(self, "accessRole"))
 
     @access_role.setter
@@ -325,7 +325,7 @@ class CfnAgreementProps:
     ) -> None:
         '''Properties for defining a ``CfnAgreement``.
 
-        :param access_role: With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
+        :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
         :param base_directory: The landing directory (folder) for files that are transferred by using the AS2 protocol.
         :param local_profile_id: A unique identifier for the AS2 local profile.
         :param partner_profile_id: A unique identifier for the partner profile used in the agreement.
@@ -385,12 +385,20 @@ class CfnAgreementProps:
 
     @builtins.property
     def access_role(self) -> builtins.str:
-        '''With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` .
+        '''Connectors are used to send files using either the AS2 or SFTP protocol.
 
-        We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` .
+        For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.
+
+        *For AS2 connectors*
+
+        With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` .
 
         If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
 
+        *For SFTP connectors*
+
+        Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-agreement.html#cfn-transfer-agreement-accessrole
         '''
         result = self._values.get("access_role")
@@ -952,9 +960,9 @@ class CfnConnector(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_transfer.CfnConnector",
 ):
-    '''Creates the connector, which captures the parameters for an outbound connection for the AS2 or SFTP protocol.
+    '''Creates the connector, which captures the parameters for a connection for the AS2 or SFTP protocol.
 
-    The connector is required for sending files to an externally hosted AS2 or SFTP server. For more details about AS2 connectors, see `Create AS2 connectors <https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html#configure-as2-connector>`_ .
+    For AS2, the connector is required for sending files to an externally hosted AS2 server. For SFTP, the connector is required when sending files to an SFTP server or receiving files from an SFTP server. For more details about connectors, see `Create AS2 connectors <https://docs.aws.amazon.com/transfer/latest/userguide/create-b2b-server.html#configure-as2-connector>`_ and `Create SFTP connectors <https://docs.aws.amazon.com/transfer/latest/userguide/configure-sftp-connector.html>`_ .
     .. epigraph::
 
        You must specify exactly one configuration object: either for AS2 ( ``As2Config`` ) or SFTP ( ``SftpConfig`` ).
@@ -972,11 +980,15 @@ class CfnConnector(
         
         cfn_connector = transfer.CfnConnector(self, "MyCfnConnector",
             access_role="accessRole",
-            as2_config=as2_config,
             url="url",
         
             # the properties below are optional
+            as2_config=as2_config,
             logging_role="loggingRole",
+            sftp_config=transfer.CfnConnector.SftpConfigProperty(
+                trusted_host_keys=["trustedHostKeys"],
+                user_secret_id="userSecretId"
+            ),
             tags=[CfnTag(
                 key="key",
                 value="value"
@@ -990,18 +1002,20 @@ class CfnConnector(
         id: builtins.str,
         *,
         access_role: builtins.str,
-        as2_config: typing.Any,
         url: builtins.str,
+        as2_config: typing.Any = None,
         logging_role: typing.Optional[builtins.str] = None,
+        sftp_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConnector.SftpConfigProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param access_role: With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
-        :param as2_config: A structure that contains the parameters for an AS2 connector object.
+        :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
         :param url: The URL of the partner's AS2 or SFTP endpoint.
+        :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
+        :param sftp_config: A structure that contains the parameters for an SFTP connector object.
         :param tags: Key-value pairs that can be used to group and search for connectors.
         '''
         if __debug__:
@@ -1010,9 +1024,10 @@ class CfnConnector(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnConnectorProps(
             access_role=access_role,
-            as2_config=as2_config,
             url=url,
+            as2_config=as2_config,
             logging_role=logging_role,
+            sftp_config=sftp_config,
             tags=tags,
         )
 
@@ -1051,7 +1066,7 @@ class CfnConnector(
     @builtins.property
     @jsii.member(jsii_name="attrArn")
     def attr_arn(self) -> builtins.str:
-        '''Specifies the unique Amazon Resource Name (ARN) for the workflow.
+        '''Specifies the unique Amazon Resource Name (ARN) for the connector.
 
         :cloudformationAttribute: Arn
         '''
@@ -1080,7 +1095,7 @@ class CfnConnector(
     @builtins.property
     @jsii.member(jsii_name="accessRole")
     def access_role(self) -> builtins.str:
-        '''With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` .'''
+        '''Connectors are used to send files using either the AS2 or SFTP protocol.'''
         return typing.cast(builtins.str, jsii.get(self, "accessRole"))
 
     @access_role.setter
@@ -1090,19 +1105,6 @@ class CfnConnector(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "accessRole", value)
 
-    @builtins.property
-    @jsii.member(jsii_name="as2Config")
-    def as2_config(self) -> typing.Any:
-        '''A structure that contains the parameters for an AS2 connector object.'''
-        return typing.cast(typing.Any, jsii.get(self, "as2Config"))
-
-    @as2_config.setter
-    def as2_config(self, value: typing.Any) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__b16726d88010ccba3b94afdf2e5c9f9c1e8e4dc3d9f7d56e2edf0140e687d75c)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "as2Config", value)
-
     @builtins.property
     @jsii.member(jsii_name="url")
     def url(self) -> builtins.str:
@@ -1116,6 +1118,19 @@ class CfnConnector(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "url", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="as2Config")
+    def as2_config(self) -> typing.Any:
+        '''A structure that contains the parameters for an AS2 connector object.'''
+        return typing.cast(typing.Any, jsii.get(self, "as2Config"))
+
+    @as2_config.setter
+    def as2_config(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b16726d88010ccba3b94afdf2e5c9f9c1e8e4dc3d9f7d56e2edf0140e687d75c)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "as2Config", value)
+
     @builtins.property
     @jsii.member(jsii_name="loggingRole")
     def logging_role(self) -> typing.Optional[builtins.str]:
@@ -1129,6 +1144,24 @@ class CfnConnector(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "loggingRole", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="sftpConfig")
+    def sftp_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConnector.SftpConfigProperty"]]:
+        '''A structure that contains the parameters for an SFTP connector object.'''
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConnector.SftpConfigProperty"]], jsii.get(self, "sftpConfig"))
+
+    @sftp_config.setter
+    def sftp_config(
+        self,
+        value: typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConnector.SftpConfigProperty"]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__391f4dfc56c4811c4c4aedb8ffcfac5c521d440de2f0de853365abcdec435568)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "sftpConfig", value)
+
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
     def tags_raw(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
@@ -1146,6 +1179,7 @@ class CfnConnector(
         jsii_type="aws-cdk-lib.aws_transfer.CfnConnector.As2ConfigProperty",
         jsii_struct_bases=[],
         name_mapping={
+            "basic_auth_secret_id": "basicAuthSecretId",
             "compression": "compression",
             "encryption_algorithm": "encryptionAlgorithm",
             "local_profile_id": "localProfileId",
@@ -1160,6 +1194,7 @@ class CfnConnector(
         def __init__(
             self,
             *,
+            basic_auth_secret_id: typing.Optional[builtins.str] = None,
             compression: typing.Optional[builtins.str] = None,
             encryption_algorithm: typing.Optional[builtins.str] = None,
             local_profile_id: typing.Optional[builtins.str] = None,
@@ -1171,6 +1206,7 @@ class CfnConnector(
         ) -> None:
             '''A structure that contains the parameters for an AS2 connector object.
 
+            :param basic_auth_secret_id: Provides Basic authentication support to the AS2 Connectors API. To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager . The default value for this parameter is ``null`` , which indicates that Basic authentication is not enabled for the connector. If the connector should use Basic authentication, the secret needs to be in the following format: ``{ "Username": "user-name", "Password": "user-password" }`` Replace ``user-name`` and ``user-password`` with the credentials for the actual user that is being authenticated. Note the following: - You are storing these credentials in Secrets Manager, *not passing them directly* into this API. - If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you. If you have previously enabled Basic authentication for a connector, you can disable it by using the ``UpdateConnector`` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication: ``update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'``
             :param compression: Specifies whether the AS2 file is compressed.
             :param encryption_algorithm: The algorithm that is used to encrypt the file. .. epigraph:: You can only specify ``NONE`` if the URL for your connector uses HTTPS. This ensures that no traffic is sent in clear text.
             :param local_profile_id: A unique identifier for the AS2 local profile.
@@ -1190,6 +1226,7 @@ class CfnConnector(
                 from aws_cdk import aws_transfer as transfer
                 
                 as2_config_property = transfer.CfnConnector.As2ConfigProperty(
+                    basic_auth_secret_id="basicAuthSecretId",
                     compression="compression",
                     encryption_algorithm="encryptionAlgorithm",
                     local_profile_id="localProfileId",
@@ -1202,6 +1239,7 @@ class CfnConnector(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__328497a7bbb181a996e0747268f6105731221ad3f578e8a5ca68e405dcdd7e63)
+                check_type(argname="argument basic_auth_secret_id", value=basic_auth_secret_id, expected_type=type_hints["basic_auth_secret_id"])
                 check_type(argname="argument compression", value=compression, expected_type=type_hints["compression"])
                 check_type(argname="argument encryption_algorithm", value=encryption_algorithm, expected_type=type_hints["encryption_algorithm"])
                 check_type(argname="argument local_profile_id", value=local_profile_id, expected_type=type_hints["local_profile_id"])
@@ -1211,6 +1249,8 @@ class CfnConnector(
                 check_type(argname="argument partner_profile_id", value=partner_profile_id, expected_type=type_hints["partner_profile_id"])
                 check_type(argname="argument signing_algorithm", value=signing_algorithm, expected_type=type_hints["signing_algorithm"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if basic_auth_secret_id is not None:
+                self._values["basic_auth_secret_id"] = basic_auth_secret_id
             if compression is not None:
                 self._values["compression"] = compression
             if encryption_algorithm is not None:
@@ -1228,6 +1268,34 @@ class CfnConnector(
             if signing_algorithm is not None:
                 self._values["signing_algorithm"] = signing_algorithm
 
+        @builtins.property
+        def basic_auth_secret_id(self) -> typing.Optional[builtins.str]:
+            '''Provides Basic authentication support to the AS2 Connectors API.
+
+            To use Basic authentication, you must provide the name or Amazon Resource Name (ARN) of a secret in AWS Secrets Manager .
+
+            The default value for this parameter is ``null`` , which indicates that Basic authentication is not enabled for the connector.
+
+            If the connector should use Basic authentication, the secret needs to be in the following format:
+
+            ``{ "Username": "user-name", "Password": "user-password" }``
+
+            Replace ``user-name`` and ``user-password`` with the credentials for the actual user that is being authenticated.
+
+            Note the following:
+
+            - You are storing these credentials in Secrets Manager, *not passing them directly* into this API.
+            - If you are using the API, SDKs, or CloudFormation to configure your connector, then you must create the secret before you can enable Basic authentication. However, if you are using the AWS management console, you can have the system create the secret for you.
+
+            If you have previously enabled Basic authentication for a connector, you can disable it by using the ``UpdateConnector`` API call. For example, if you are using the CLI, you can run the following command to remove Basic authentication:
+
+            ``update-connector --connector-id my-connector-id --as2-config 'BasicAuthSecretId=""'``
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-as2config.html#cfn-transfer-connector-as2config-basicauthsecretid
+            '''
+            result = self._values.get("basic_auth_secret_id")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def compression(self) -> typing.Optional[builtins.str]:
             '''Specifies whether the AS2 file is compressed.
@@ -1324,15 +1392,100 @@ class CfnConnector(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_transfer.CfnConnector.SftpConfigProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "trusted_host_keys": "trustedHostKeys",
+            "user_secret_id": "userSecretId",
+        },
+    )
+    class SftpConfigProperty:
+        def __init__(
+            self,
+            *,
+            trusted_host_keys: typing.Optional[typing.Sequence[builtins.str]] = None,
+            user_secret_id: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''A structure that contains the parameters for an SFTP connector object.
+
+            :param trusted_host_keys: The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting. You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key. The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element. For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys. - For RSA keys, the key type is ``ssh-rsa`` . - For ECDSA keys, the key type is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated.
+            :param user_secret_id: The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both. The identifier can be either the Amazon Resource Name (ARN) or the name of the secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_transfer as transfer
+                
+                sftp_config_property = transfer.CfnConnector.SftpConfigProperty(
+                    trusted_host_keys=["trustedHostKeys"],
+                    user_secret_id="userSecretId"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__f4f8d4be2ad63a06a458c41605c9c21318e1d9117d48f21b9ee2ea6bb109d2e8)
+                check_type(argname="argument trusted_host_keys", value=trusted_host_keys, expected_type=type_hints["trusted_host_keys"])
+                check_type(argname="argument user_secret_id", value=user_secret_id, expected_type=type_hints["user_secret_id"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if trusted_host_keys is not None:
+                self._values["trusted_host_keys"] = trusted_host_keys
+            if user_secret_id is not None:
+                self._values["user_secret_id"] = user_secret_id
+
+        @builtins.property
+        def trusted_host_keys(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''The public portion of the host key, or keys, that are used to authenticate the user to the external server to which you are connecting.
+
+            You can use the ``ssh-keyscan`` command against the SFTP server to retrieve the necessary key.
+
+            The three standard SSH public key format elements are ``<key type>`` , ``<body base64>`` , and an optional ``<comment>`` , with spaces between each element.
+
+            For the trusted host key, AWS Transfer Family accepts RSA and ECDSA keys.
+
+            - For RSA keys, the key type is ``ssh-rsa`` .
+            - For ECDSA keys, the key type is either ``ecdsa-sha2-nistp256`` , ``ecdsa-sha2-nistp384`` , or ``ecdsa-sha2-nistp521`` , depending on the size of the key you generated.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html#cfn-transfer-connector-sftpconfig-trustedhostkeys
+            '''
+            result = self._values.get("trusted_host_keys")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def user_secret_id(self) -> typing.Optional[builtins.str]:
+            '''The identifier for the secret (in AWS Secrets Manager) that contains the SFTP user's private key, password, or both.
+
+            The identifier can be either the Amazon Resource Name (ARN) or the name of the secret.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-transfer-connector-sftpconfig.html#cfn-transfer-connector-sftpconfig-usersecretid
+            '''
+            result = self._values.get("user_secret_id")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "SftpConfigProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_transfer.CfnConnectorProps",
     jsii_struct_bases=[],
     name_mapping={
         "access_role": "accessRole",
-        "as2_config": "as2Config",
         "url": "url",
+        "as2_config": "as2Config",
         "logging_role": "loggingRole",
+        "sftp_config": "sftpConfig",
         "tags": "tags",
     },
 )
@@ -1341,17 +1494,19 @@ class CfnConnectorProps:
         self,
         *,
         access_role: builtins.str,
-        as2_config: typing.Any,
         url: builtins.str,
+        as2_config: typing.Any = None,
         logging_role: typing.Optional[builtins.str] = None,
+        sftp_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnector.SftpConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnConnector``.
 
-        :param access_role: With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
-        :param as2_config: A structure that contains the parameters for an AS2 connector object.
+        :param access_role: Connectors are used to send files using either the AS2 or SFTP protocol. For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use. *For AS2 connectors* With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` . If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key. *For SFTP connectors* Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
         :param url: The URL of the partner's AS2 or SFTP endpoint.
+        :param as2_config: A structure that contains the parameters for an AS2 connector object.
         :param logging_role: The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events. When set, you can view connector activity in your CloudWatch logs.
+        :param sftp_config: A structure that contains the parameters for an SFTP connector object.
         :param tags: Key-value pairs that can be used to group and search for connectors.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html
@@ -1367,11 +1522,15 @@ class CfnConnectorProps:
             
             cfn_connector_props = transfer.CfnConnectorProps(
                 access_role="accessRole",
-                as2_config=as2_config,
                 url="url",
             
                 # the properties below are optional
+                as2_config=as2_config,
                 logging_role="loggingRole",
+                sftp_config=transfer.CfnConnector.SftpConfigProperty(
+                    trusted_host_keys=["trustedHostKeys"],
+                    user_secret_id="userSecretId"
+                ),
                 tags=[CfnTag(
                     key="key",
                     value="value"
@@ -1381,44 +1540,46 @@ class CfnConnectorProps:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__7675f9dcded8f51977cf70f499821100319fe5d62996cb917457f772cfcc9a2e)
             check_type(argname="argument access_role", value=access_role, expected_type=type_hints["access_role"])
-            check_type(argname="argument as2_config", value=as2_config, expected_type=type_hints["as2_config"])
             check_type(argname="argument url", value=url, expected_type=type_hints["url"])
+            check_type(argname="argument as2_config", value=as2_config, expected_type=type_hints["as2_config"])
             check_type(argname="argument logging_role", value=logging_role, expected_type=type_hints["logging_role"])
+            check_type(argname="argument sftp_config", value=sftp_config, expected_type=type_hints["sftp_config"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "access_role": access_role,
-            "as2_config": as2_config,
             "url": url,
         }
+        if as2_config is not None:
+            self._values["as2_config"] = as2_config
         if logging_role is not None:
             self._values["logging_role"] = logging_role
+        if sftp_config is not None:
+            self._values["sftp_config"] = sftp_config
         if tags is not None:
             self._values["tags"] = tags
 
     @builtins.property
     def access_role(self) -> builtins.str:
-        '''With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` .
+        '''Connectors are used to send files using either the AS2 or SFTP protocol.
+
+        For the access role, provide the Amazon Resource Name (ARN) of the AWS Identity and Access Management role to use.
+
+        *For AS2 connectors*
 
-        We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` .
+        With AS2, you can send files by calling ``StartFileTransfer`` and specifying the file paths in the request parameter, ``SendFilePaths`` . We use the file’s parent directory (for example, for ``--send-file-paths /bucket/dir/file.txt`` , parent directory is ``/bucket/dir/`` ) to temporarily store a processed AS2 message file, store the MDN when we receive them from the partner, and write a final JSON file containing relevant metadata of the transmission. So, the ``AccessRole`` needs to provide read and write access to the parent directory of the file location used in the ``StartFileTransfer`` request. Additionally, you need to provide read and write access to the parent directory of the files that you intend to send with ``StartFileTransfer`` .
 
         If you are using Basic authentication for your AS2 connector, the access role requires the ``secretsmanager:GetSecretValue`` permission for the secret. If the secret is encrypted using a customer-managed key instead of the AWS managed key in Secrets Manager, then the role also needs the ``kms:Decrypt`` permission for that key.
 
+        *For SFTP connectors*
+
+        Make sure that the access role provides read and write access to the parent directory of the file location that's used in the ``StartFileTransfer`` request. Additionally, make sure that the role provides ``secretsmanager:GetSecretValue`` permission to AWS Secrets Manager .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-accessrole
         '''
         result = self._values.get("access_role")
         assert result is not None, "Required property 'access_role' is missing"
         return typing.cast(builtins.str, result)
 
-    @builtins.property
-    def as2_config(self) -> typing.Any:
-        '''A structure that contains the parameters for an AS2 connector object.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-as2config
-        '''
-        result = self._values.get("as2_config")
-        assert result is not None, "Required property 'as2_config' is missing"
-        return typing.cast(typing.Any, result)
-
     @builtins.property
     def url(self) -> builtins.str:
         '''The URL of the partner's AS2 or SFTP endpoint.
@@ -1429,6 +1590,15 @@ class CfnConnectorProps:
         assert result is not None, "Required property 'url' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def as2_config(self) -> typing.Any:
+        '''A structure that contains the parameters for an AS2 connector object.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-as2config
+        '''
+        result = self._values.get("as2_config")
+        return typing.cast(typing.Any, result)
+
     @builtins.property
     def logging_role(self) -> typing.Optional[builtins.str]:
         '''The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows a connector to turn on CloudWatch logging for Amazon S3 events.
@@ -1440,6 +1610,17 @@ class CfnConnectorProps:
         result = self._values.get("logging_role")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def sftp_config(
+        self,
+    ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConnector.SftpConfigProperty]]:
+        '''A structure that contains the parameters for an SFTP connector object.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-transfer-connector.html#cfn-transfer-connector-sftpconfig
+        '''
+        result = self._values.get("sftp_config")
+        return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConnector.SftpConfigProperty]], result)
+
     @builtins.property
     def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
         '''Key-value pairs that can be used to group and search for connectors.
@@ -5740,9 +5921,10 @@ def _typecheckingstub__2a3d92be7ab611ebe6dbf531ad899c2a95b3655fb829aeffdf52fdb11
     id: builtins.str,
     *,
     access_role: builtins.str,
-    as2_config: typing.Any,
     url: builtins.str,
+    as2_config: typing.Any = None,
     logging_role: typing.Optional[builtins.str] = None,
+    sftp_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnector.SftpConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
@@ -5766,14 +5948,14 @@ def _typecheckingstub__9f4bab9f1a3e47eaac0c429ed6125ef23e8b2d8f33fac6396c2ef4a60
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__b16726d88010ccba3b94afdf2e5c9f9c1e8e4dc3d9f7d56e2edf0140e687d75c(
-    value: typing.Any,
+def _typecheckingstub__7f2f8d48aab925fcdb11fb86f8b12aeae11aa8b85048a7ded27a817b5864536d(
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__7f2f8d48aab925fcdb11fb86f8b12aeae11aa8b85048a7ded27a817b5864536d(
-    value: builtins.str,
+def _typecheckingstub__b16726d88010ccba3b94afdf2e5c9f9c1e8e4dc3d9f7d56e2edf0140e687d75c(
+    value: typing.Any,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -5784,6 +5966,12 @@ def _typecheckingstub__f6fd1718d368db980c8cf49c237a691317f958db670b242715c5440aa
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__391f4dfc56c4811c4c4aedb8ffcfac5c521d440de2f0de853365abcdec435568(
+    value: typing.Optional[typing.Union[_IResolvable_da3f097b, CfnConnector.SftpConfigProperty]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__207f7abcb769a2e1717d82ad1c8c7df0c05b8d8d3d89a23127362727dcd65473(
     value: typing.Optional[typing.List[_CfnTag_f6864754]],
 ) -> None:
@@ -5792,6 +5980,7 @@ def _typecheckingstub__207f7abcb769a2e1717d82ad1c8c7df0c05b8d8d3d89a23127362727d
 
 def _typecheckingstub__328497a7bbb181a996e0747268f6105731221ad3f578e8a5ca68e405dcdd7e63(
     *,
+    basic_auth_secret_id: typing.Optional[builtins.str] = None,
     compression: typing.Optional[builtins.str] = None,
     encryption_algorithm: typing.Optional[builtins.str] = None,
     local_profile_id: typing.Optional[builtins.str] = None,
@@ -5804,12 +5993,21 @@ def _typecheckingstub__328497a7bbb181a996e0747268f6105731221ad3f578e8a5ca68e405d
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__f4f8d4be2ad63a06a458c41605c9c21318e1d9117d48f21b9ee2ea6bb109d2e8(
+    *,
+    trusted_host_keys: typing.Optional[typing.Sequence[builtins.str]] = None,
+    user_secret_id: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__7675f9dcded8f51977cf70f499821100319fe5d62996cb917457f772cfcc9a2e(
     *,
     access_role: builtins.str,
-    as2_config: typing.Any,
     url: builtins.str,
+    as2_config: typing.Any = None,
     logging_role: typing.Optional[builtins.str] = None,
+    sftp_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnConnector.SftpConfigProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""