# Getting started with AWS B2B Data Interchange
To use AWS B2B Data Interchange, you create profiles, transformers, capabilities, and partnerships. This topic describes how to create and configure these basic building blocks for this service. After you have met the prerequisites, follow the instructions in [Transforming and generating EDI](transform-variations.md) or use the [Quick setup using the console](getting-started-quick.md)
After you create the necessary resources (profile, transformer, trading capability and partnership), your trading partners can use AWS Transfer Family or any connectivity software send you X12 documents.
When the X12 documents land in the configured input folder in your Amazon S3 bucket, the documents are automatically picked up and transformed by B2B Data Interchange. Each inbound X12 EDI document transformed also generates acknowledgments (such as 999 or 997) that you can return to your partner.
Similarly, when JSON or XML files are dropped into in specified input directories in Amazon S3, B2B Data Interchange automatically transforms the files to generate X12. You can then use AWS Transfer Family servers (that use either the AS2 or SFTP protocol) to send this X12 to your trading partner.
All transformation activity and status updates, including the generation of acknowledgements, are logged to CloudWatch and emit events to Amazon EventBridge. For details, see [Details fields for transformation events](events-detail-reference.md#detail-fields-transform). You can also monitor the transformation activity using processed input-output pairs view.
**Topics**
+ [
# Prerequisites for using AWS B2B Data Interchange
](b2bi-prereq.md)
+ [
# Quick setup using the console
](getting-started-quick.md)
+ [
# Configure AWS B2B Data Interchange using an CloudFormation template
](quickstart-template.md)
# Prerequisites for using AWS B2B Data Interchange
This topic describes how to sign up for an AWS account, create an admin user, and configure an Amazon S3 bucket to use with B2B Data Interchange.
## Sign up for an AWS account
If you do not have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.
When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).
AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.
## Create a user with administrative access
After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.
**Secure your AWS account root user**
1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.
1. Turn on multi-factor authentication (MFA) for your root user.
For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.
**Create a user with administrative access**
1. Enable IAM Identity Center.
For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.
1. In IAM Identity Center, grant administrative access to a user.
For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.
**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.
For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.
**Assign access to additional users**
1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.
For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.
1. Assign users to a group, and then assign single sign-on access to the group.
For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.
## Configure an Amazon S3 bucket
You need to have an Amazon S3 bucket set up and ready to use. B2B Data Interchange requires buckets for storing input, output, and instruction documents. For details, see [Getting started with Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/GetStartedWithS3.html).
+ The Amazon S3 bucket must be in the same AWS account as the B2B Data Interchange user.
+ The Amazon S3 bucket must be in the same region as the B2B Data Interchange user.
## Setting up S3 bucket policies and permissions
Before you can transform and generate Electronic Data Interchange (EDI) documents, you must configure S3 bucket policies for your trading capabilities. This topic provides step-by-step instructions and example policies to help you get started.
### Configuring S3 bucket policies
Follow these steps to configure policies for both your input and output buckets. If your buckets use SSE-KMS encryption, you must also update your AWS KMS key policy. For policy examples, see [Example policies](#bucket-policy-examples).
**To configure a bucket policy**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Navigate to your bucket and choose the **Permissions** tab.
1. In the **Bucket policy** section, choose **Edit**.
1. Do one of the following:
+ Copy an example policy from [Example policies](#bucket-policy-examples) and paste it into the policy editor.
+ Choose **Copy policy** when creating a trading capability, and paste the copied policy.
1. Choose **Save changes**.
**Note**
For information about temporary files and related permissions, see [Managing temporary files and permissions](#temp-files-permissions).
### Enabling EventBridge notifications
You must enable Amazon EventBridge notifications for your input S3 bucket.
**To enable EventBridge notifications**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Navigate to your bucket and choose the **Properties** tab.
1. Scroll to the **EventBridge** section.
1. If notifications are already enabled, you're done. Otherwise, continue to the next step.
1. Choose **Edit**.
1. Select **On** and choose **Save changes**.
**Important**
After enabling EventBridge, wait at least 5 minutes before placing files in your S3 bucket. This allows time for the changes to take effect.
### Managing temporary files and permissions
Your output bucket policies require the following permissions:
+ `s3:GetObject` - Allows the service to read temporary files
+ `s3:DeleteObject` - Enables cleanup of temporary files
**Important**
Without the `s3:DeleteObject` permission:
Temporary files remain in your S3 bucket and incur storage charges.
These files can be up to ten times larger than the input X12 file.
The service uses the following locations for temporary files:
+ `customerOutputDirectory/parsed` - For service use
+ `customerOutputDirectory/tradingPartnerId/parsed` - For S3 use (when using partnerships)
### Example policies
Use these example policies to configure permissions for your S3 buckets and AWS KMS keys.
**Important**
Replace all *user input placeholder* values with your own information.
------
#### [ Input bucket policy ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "B2BIEdiCapabilityInputPolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "b2bi.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:GetObjectAttributes"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/input-folder*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
------
#### [ Output bucket policy ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "B2BIEdiCapabilityOutputPolicy",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "b2bi.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/output-folder/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
```
------
------
If you use SSE-KMS or DSSE-KMS encryption, you must also configure AWS KMS key policies:
**Important**
Don't use AWS managed key policies - they can't be edited. Create a customer managed key instead.
------
#### [ Input KMS key policy ]
Use this policy for encrypted input buckets to allow decryption of files:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "B2BIEdiCapabilityInputKeyPolicy",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow B2Bi access",
"Effect": "Allow",
"Principal": {
"Service": "b2bi.amazonaws.com"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
```
------
------
#### [ Output KMS key policy ]
Use this policy for encrypted output buckets to allow encryption of files:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "B2BIEdiCapabilityOutputKeyPolicy",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow B2Bi access",
"Effect": "Allow",
"Principal": {
"Service": "b2bi.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*"
}
]
}
```
------
------
If you use the same bucket for both input and output, use either policy and add the other permission, as shown in this example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "B2BIEdiCapabilityOutputKeyPolicy",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow B2Bi access",
"Effect": "Allow",
"Principal": {
"Service": "b2bi.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
```
------
# Quick setup using the console
This topic provides instructions on how to quickly setup B2B Data Interchange. From the B2B Data Interchange landing page ([https://console.aws.amazon.com/b2bi/](https://console.aws.amazon.com/b2bi/)), choose the **Quick setup** option. The quick setup makes it easy for you to create the resources needed to build and run your EDI-based workflows on AWS B2B Data Interchange. Follow the steps below to connect with your trading partners and start transforming EDI data in JSON and XML to simplify your downstream integrations.
**Note**
If you don't see the landing page, select AWS B2B Data Interchange at the top of the left navigation menu.
1. The **Create profile** screen appears. Fill in your details as described in [Create a profile](transform-inbound-variations.md#getting-started-profile), then select **Next**.
1. The **Create transformer** screen appears. Fill in your details as described in [Create an inbound transformer](transform-inbound-variations.md#getting-started-transformer) or [Create an outbound transformer](transform-outbound-variations.md#outbound-transformer), then select **Next**.
1. The **Create trading capability** screen appears. Fill in your details as described in [Create a trading capability for inbound EDI](transform-inbound-variations.md#getting-started-capability), then select **Next**.
**Note**
Make sure to choose **Copy policy**, for both your input and output directory, save the policy code, and then paste the policies into your input and output directory's bucket policy.
1. The **Create partner** screen appears. Fill in your details as described in [Create a partnership for inbound EDI](transform-inbound-variations.md#getting-started-partnership), then select **Next**.
1. The **Review and create** screen appears, showing all the details you've entered. You can select **Cancel**, or **Previous** if anything needs to be changed, or **Complete setup** to create your profile, transformer, trading capability and partnership.
B2B Data Interchange also provides a self-contained, AWS CloudFormation template to quickly create a B2B Data Interchange configuration. For details on how to deploy this template, see [Configure AWS B2B Data Interchange using an CloudFormation template](quickstart-template.md).
# Configure AWS B2B Data Interchange using an CloudFormation template
We provide a basic stack that you can use to quickly configure all the resources you need to work with AWS B2B Data Interchange.
**To configure B2B Data Interchange objects from a CloudFormation template**
1. Download the template from the GitHub repository here: [AWS B2B Data Interchange basic template](https://github.com/aws-samples/aws-b2b-data-interchange-toolkit/blob/main/templates/aws-b2bi-basic.template.yaml)
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. In the left navigation pane, choose **Stacks**.
1. Choose **Create stack**, and then choose **With new resources (standard)**.
1. On the **Create stack** page, do the following.
1. In the **Prerequisite - Prepare template** section, select **Choose an existing template**.
1. In the **Specify template** section, choose **Upload a template file**.
1. Navigate to your saved template file, and select it.
1. Choose **Next**.
1. On the **Specify stack details** page, name your stack, and change the names of the listed parameters as appropriate for your configuration.
1. Choose **Next**. On the **Configure stack options** page, optionally add tags and an IAM role. Then choose **Next** again.
1. On the **Review and create** page review the details for the stack that you're creating, and then choose **Submit**.
You can view the progress of your stack being creating in the CloudFormation console.