AWS Transfer Family for AS2
Applicability Statement 2 (AS2) is an RFC-defined file-transmission specification that
includes strong message protection and verification mechanisms. The AS2 protocol is critical
to workflows with compliance requirements that rely on having data protection and security
features built into the protocol.
Customers in industries such as retail, life sciences, manufacturing, financial services,
and utilities that rely on AS2 for supply chain, logistics, and payments workflows can use
AWS Transfer Family AS2 endpoints to securely transact with their business partners. The transacted
data is natively accessible in AWS for processing, analysis, and machine learning. This
data is also available for integrations with enterprise resource planning (ERP) and customer
relationship management (CRM) systems that run on AWS. With AS2, customers can run their
business-to-business (B2B) transactions at scale in AWS while maintaining existing
business partner integrations and compliance.
If you are a Transfer Family customer who wants to exchange files with a partner who has a
configured AS2-enabled server, the setup involves generating one public-private key pair for
encryption and another for signing and exchanging the public keys with the partner.
Transfer Family provides a workshop that you can attend, in which you can
configure a Transfer Family endpoint with AS2 enabled, and a Transfer Family AS2 connector
You can view the details for this workshop
here.
Protecting an AS2 payload in transit typically involves the use of Cryptographic
Message Syntax (CMS) and commonly uses encryption and a digital signature to provide data
protection and peer authentication. A signed Message Disposition Notice (MDN) response
payload provides verification (non-repudiation) that a message was received and successfully
decrypted.
Transport of these CMS payloads and MDN responses occurs over HTTP.
HTTPS AS2 server endpoints are not currently supported. TLS termination is currently
the responsibility of the customer.
For a detailed, step-by-step walkthrough of setting up an Applicability Statement 2 (AS2) configuration,
see the tutorial, Setting up an AS2 configuration.
The user guide provides instructions for each step in the process of configuring AS2 in Transfer Family.
AS2 use cases
If you are an AWS Transfer Family customer who wants to exchange files with a partner who has a
configured AS2 server, the most complex part of the setup involves generating one
public-private key pair for encryption and another for signing and exchanging the public
keys with the partner.
Consider the following variations for using AWS Transfer Family with AS2.
Trading partner is the partner associated with that partner
profile.
All mentions of MDN in the following table assume
signed MDNs.
AS2 use cases
Inbound-only use cases
-
Transfer encrypted AS2 messages from
a trading partner to a Transfer Family server.
In this case, you do the following:
-
Create profiles for your trading partner and
yourself.
-
Create a Transfer Family server that uses the AS2
protocol.
-
Create an agreement and add it to your
server.
-
Import a certificate with a private key and add it
to your profile, and then import the public key to
your partner profile for encryption.
-
After you have these items, send the public key
for your certificate to your trading partner.
Now your partner can send you encrypted messages and you
can decrypt them and store them in your Amazon S3 bucket.
-
Transfer encrypted AS2 messages from
a trading partner to a Transfer Family server and add
signing.
In this scenario, you are still doing only inbound
transfers, but now you want to have your partner sign the
messages that they send. In this case, import the trading
partner's signing public key (as a signing certificate added
to your partner's profile).
-
Transfer encrypted AS2 messages from
a trading partner to a Transfer Family server and add signing and
sending an MDN response.
In this scenario, you are still doing only inbound
transfers, but now, in addition to receiving signed
payloads, your trading partner wants to receive a signed MDN
response.
-
Import your public and private signing keys (as a signing certificate to your profile).
-
Send the public signing key to your trading
partner.
|
Outbound-only use cases
-
Transfer encrypted AS2 messages from
a Transfer Family server to a trading partner.
This case is similar to the inbound-only transfer use
case, except that instead of adding an agreement to your AS2
server, you create a connector. In this case, you import
your trading partner's public key to their profile.
-
Transfer encrypted AS2 messages from
a Transfer Family server to a trading partner and add
signing.
You are still doing only outbound transfers, but now your
trading partner wants you to sign the message that you send
to them.
-
Import your signing private key (as a signing
certificate added to your profile).
-
Send your trading partner your public key.
-
Transfer encrypted AS2 messages from
a Transfer Family server to a trading partner and add signing and
send an MDN response.
You are still doing only outbound transfers, but now, in
addition to sending signed payloads, you want to receive a
signed MDN response from your trading partner.
-
Your trading partner sends you their public
signing key.
-
Import your trading partner's public key (as a
signing certificate added to your partner
profile).
|
Inbound and outbound use cases
-
Transfer encrypted AS2 messages in
both directions between a Transfer Family server and a trading
partner.
In this case, you do the following:
-
Create profiles for your trading partner and
yourself.
-
Create a Transfer Family server that uses the AS2
protocol.
-
Create an agreement and add it to your
server.
-
Create a connector.
-
Import a certificate with a private key and add it
to your profile, and then import the public key to
your partner profile for encryption.
-
Receive a public key from your trading partner and
add it to their profile for encryption.
-
After you have these items, send the public key
for your certificate to your trading partner.
Now you and your trading partner can exchange encrypted
messages, and you can both decrypt them. You can store the
messages that you receive in your Amazon S3 bucket, and your
partner can decrypt and store the messages that you send to
them.
-
Transfer encrypted AS2 messages in
both directions between a Transfer Family server and a trading
partner and add signing.
Now you and your partner want signed messages.
-
Import your signing private key (as a signing
certificate added to your profile).
-
Send your trading partner your public key.
-
Import your trading partner's signing public key
and add it to their profile.
-
Transfer encrypted AS2 messages in
both directions between a Transfer Family server and a trading
partner and add signing and send an MDN
response.
Now, you want to exchange signed payloads, and both you
and your trading partner want MDN responses.
-
Your trading partner sends you their public
signing key.
-
Import your trading partner's public key (as a
signing certificate to your partner profile).
-
Send your public key to your trading
partner.
|