AS2 quotas and limitations - AWS Transfer Family
AS2 quotasQuotas for handling secretsKnown limitations

AS2 quotas and limitations

This section discusses quotas and limitations for AS2

AS2 quotas

The following quotas are in place for AS2 file transfers. To request an increase for a quota that's adjustable, see AWS service quotas in the AWS General Reference.

AS2 quotas
Name Default Adjustable
Maximum number of inbound files received per second 100 No
Maximum number of outbound files sent per second 100 No
Maximum number of concurrent inbound files 400 No
Maximum number of concurrent outbound files 400 No
Maximum size of inbound file (uncompressed) 1 GB No
Maximum size of outbound file (uncompressed) 1 GB No
Maximum number of files per outbound request 10 No
Maximum number of outbound requests per second 100 No
Maximum number of inbound requests per second 100 No
Maximum outbound bandwidth per account (outbound SFTP and AS2 requests both contribute to this value) 50 MB per second No
Maximum number of agreements per server 100 Yes
Maximum number of connectors per account (SFTP and AS2 connectors both contribute to this limit) 100 Yes
Maximum number of certificates per partner profile 10 No
Maximum number of certificates per account 1000 Yes
Maximum number of partner profiles per account 1000 Yes

Quotas for handling secrets

AWS Transfer Family makes calls to AWS Secrets Manager on behalf of AS2 customers that are using Basic authentication. Additionally Secrets Manager makes calls to AWS KMS.

Note

These quotas aren't specific to your use of secrets for Transfer Family: they're shared among all the services in your AWS account.

For Secrets Manager GetSecretValue, the quota that applies is Combined rate of DescribeSecret and GetSecretValue API requests, as described in AWS Secrets Manager quotas.

Secrets ManagerĀ GetSecretValue
Name Value Description
Combined rate of DescribeSecret and GetSecretValue API requests Each supported Region: 10,000 per second The maximum transactions per second for DescribeSecret and GetSecretValue API operations combined.

For AWS KMS, the following quotas apply for Decrypt. For details, see Request quotas for each AWS KMS API operation

AWS KMSĀ Decrypt
Quota name Default value (requests per second)

Cryptographic operations (symmetric) request rate

These shared quotas vary with the AWS Region and the type of AWS KMS key used in the request. Each quota is calculated separately.

  • 5,500 (shared)

  • 10,000 (shared) in the following Regions:

    • US East (Ohio), us-east-2

    • Asia Pacific (Singapore), ap-southeast-1

    • Asia Pacific (Sydney), ap-southeast-2

    • Asia Pacific (Tokyo), ap-northeast-1

    • Europe (Frankfurt), eu-central-1

    • Europe (London), eu-west-2

  • 50,000 (shared) in the following Regions:

    • US East (N. Virginia), us-east-1

    • US West (Oregon), us-west-2

    • Europe (Ireland), eu-west-1

Custom key store request quotas

Note

This quota only applies if you are using an external key store.

Custom key store request quotas are calculated separately for each custom key store.

  • 1,800 (shared) for each AWS CloudHSM key store

  • 1,800 (shared) for each external key store

Known limitations

  • Server-side TCP keep-alive is not supported. The connection times out after 350 seconds of inactivity unless the client sends keep-alive packets.

  • For an active agreement to be accepted by the service and appear in Amazon CloudWatch logs, messages must contain valid AS2 headers.

  • The server that's receiving messages from AWS Transfer Family for AS2 must support the Cryptographic Message Syntax (CMS) algorithm protection attribute for validating message signatures, as defined in RFC 6211. This attribute is not supported in some older IBM Sterling products.

  • Duplicate message IDs result in a processed/Warning: duplicate-document message.

  • The key length for AS2 certificates must be at least 2048 bits, and at most 4096.

  • When sending AS2 messages or asynchronous MDNs to a trading partner's HTTPS endpoint, the messages or MDNs must use a valid SSL certificate that's signed by a publicly trusted certificate authority (CA). Self-signed certificates are currently supported for outbound transfers only.

  • The endpoint must support the TLS version 1.2 protocol and a cryptographic algorithm that's permitted by the security policy (as described in Security policies for AWS Transfer Family servers).

  • Multiple attachments and certificate exchange messaging (CEM) from AS2 version 1.2 is not currently supported.

  • Basic authentication is currently supported for outbound messages only.

  • You can attach a file-processing workflow to a Transfer Family server that uses the AS2 protocol: however, AS2 messages don't execute workflows attached to the server.