# Transfer Family web apps
<a name="web-app"></a>

You can create web apps to enable a simple interface for transferring data to and from Amazon Simple Storage Service (S3) over a web browser. This does not require you to create or provision AWS Transfer Family servers.

Before the introduction of Transfer Family web apps, end users needed to use a client, custom-built, or a third-party solution to access their data in Amazon S3. This was due to stringent security requirements for customers and partners, and because clients apps are challenging for non-technical users to operate.

With the launch of web apps, you can now extend a branded, secure, and highly available portal for your end users to browse, upload, and download data in Amazon S3. Web apps are natively integrated with AWS IAM Identity Center and Amazon S3 Access Grants. This means that only your authenticated users can view the data that they’re authorized to access. Web apps are built using [Storage Browser for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-browser.html) and offer the same end user functionalities in a fully managed offering without having to write code or host your own application.

For more information about the other AWS services that you use with Transfer Family web apps, see the following documentation:
+ [Managing access with S3 Access Grants in the Amazon Simple Storage Service User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html)
+ [AWS IAM Identity Center User Guide](https://docs.aws.amazon.com/singlesignon/latest/userguide/)
+ [Amazon S3 Access Grants workshop](https://catalog.us-east-1.prod.workshops.aws/workshops/77b0af63-6ad2-4c94-bfc0-270eb9358c7a/en-US)
+ [Announcing AWS Transfer Family web apps for fully managed Amazon S3 file transfers](https://aws.amazon.com/blogs/aws/announcing-aws-transfer-family-web-apps-for-fully-managed-amazon-s3-file-transfers/)

The following resources are available to help you to get started with Transfer Family web apps.
+ The user guide offers a detailed, step-by-step walkthrough of setting up a Transfer Family web app here:[Tutorial: Setting up a basic Transfer Family web app](web-app-tutorial.md).
+ The **AWS Getting Started Resource Center** offers a tutorial here: [Getting started with AWS Transfer Family web app](https://aws.amazon.com/getting-started/hands-on/set-up-an-aws-transfer-family-web-app/).
+ The following video provides a walkthrough for getting started with Transfer Family web apps.  
[![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/Ie9M0qBGrCE/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/Ie9M0qBGrCE)

## AWS Regions for Transfer Family web apps
<a name="webapp-regions"></a>

AWS Transfer Family web apps are available in all the Transfer Family supported regions, as listed in the [AWS Region Table](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/), except for Asia Pacific (New Zealand) and AWS European Sovereign Cloud.

VPC endpoints for web apps are supported in all AWS Regions where web apps are available.

## Browser compatibility for AWS Transfer Family web apps
<a name="webapp-browsers"></a>

Transfer Family web apps support the following browsers.


| Browser | Version | Compatibility | 
| --- | --- | --- | 
| Microsoft Edge | Latest 3 versions | Compatible | 
| Mozilla Firefox | Latest 3 versions | Compatible | 
| Google Chrome | Latest 3 versions | Compatible | 
| Apple Safari | Latest 3 versions | Compatible | 

## How to create a Transfer Family web app
<a name="webapp-process"></a>

The following diagram illustrates the Transfer Family web app architecture.

![\[Architecture diagram showing the AWS services that interact with Transfer Family web apps.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-architecture.png)


Based on the diagram, you can see that Transfer Family web apps interact with the following AWS services:
+ Amazon S3 for storage and Amazon S3 Access Grants to acquire session credentials.
+ AWS IAM Identity Center as the federated identity provider.
+ Amazon CloudFront if you configure a custom URL for your web app.

Note the following limitations when using web apps.
+ Maximum number of search results per query: 10,000
+ The Amazon S3 buckets that are used by the Transfer Family web app must be in the same account as the web app itself. Cross-account buckets are not currently supported.
+ Maximum search breadth per query: 10,000 searched files
+ Maximum upload size per file: 160 GB (149 GiB)
+ Maximum size file for copying: 5.36 GB (5 GiB)
+ Folder names starting or ending with dots (.) are not supported

**Prerequisites**  
*In AWS Identity and Access Management, configure the necessary roles.* Paste in the code blocks that we provide in the instructions. For information about configuring the necessary roles, see [Configure IAM roles for Transfer Family web apps](webapp-roles.md).
+ Create an identity bearer role.
+ Create an IAM role to be used by S3 Access Grants. S3 Access Grants assumes this IAM role to vend temporary credentials to the grantee for the registered Amazon S3 location.

**Process to create a Transfer Family web app**  
To create your web app and get your end users up and running, you perform the following tasks:

1. *Configure IAM Identity Center to act as your federated identity provider*. Perform the following tasks in IAM Identity Center. For more details about configuring IAM Identity Center, see [Configure your identity provider for Transfer Family web apps](webapp-identity-center.md).

   1. Create an IAM Identity Center instance, if you don't already have one.

   1. Determine your identity source. It can be the default IAM Identity Center directory or a third-party provider (for example Okta).

   1. Create or identify the users or groups that will be using your web app. 

   1. If you are using the IAM Identity Center directory for your identity source, note the user or group IDs that you create. You need them later when you create an access grant by using S3 Access Grants.

1. *In Amazon S3, configure Amazon S3 Access Grants.* For more information about S3 Access Grants, see [Configure Amazon S3 Access Grants for Transfer Family web apps](webapp-access-grant.md).
   + Create an S3 Access Grants instance if you don't already have one in that AWS Region.
   + Register your location using the IAM role.
   + Create the access grant.

1. *In Transfer Family, perform the following tasks.*

   1. Create the Transfer Family web app. For more information about how to create the Transfer Family web app, see [Configure a Transfer Family web app](webapp-configure.md).
**Important**  
Set up Cross-origin resource sharing (CORS) for all Amazon S3 buckets that are used by your web app. For information about setting up CORS, see [Set up Cross-origin resource sharing (CORS) for your bucket](access-grant-cors.md).

   1. Assign users or groups to the web app. For more information about how to assign users and groups, see [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).

   1. (Optional) Update the access endpoint for your web app with a custom URL. For information about creating a custom URL, see [Update your access endpoint with a custom URL](webapp-customize.md).

   1. Provide your end users with the access endpoint URL so that they can log in and interact with your web app.

# Configure your identity provider for Transfer Family web apps
<a name="webapp-identity-center"></a>

The following section describes how to configure your identity provider.

To begin, you must have an identity source. You can use an IAM Identity Center directory, AWS Directory Service for Microsoft Active Directory, or an external identity provider. Transfer Family uses IAM Identity Center as a federated identity provider, which is a system that stores user credentials and authenticates users across multiple organizations.

If you're not using an IAM Identity Center directory as your identity source, see the following topics:
+ [Manage an external identity provider](https://docs.aws.amazon.com//singlesignon/latest/userguide/manage-your-identity-source-idp.html)
+ [Connect to a Microsoft AD directory ](https://docs.aws.amazon.com//singlesignon/latest/userguide/manage-your-identity-source-ad.html)
+ [Organization and account instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html)
+ [IAM Identity Center identity source tutorials](https://docs.aws.amazon.com/singlesignon/latest/userguide/tutorials.html)

**Note**  
You can only have one identity source in IAM Identity Center, per instance, per AWS Region. For details, see [IAM Identity Center prerequisites and considerations](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-prerequisites.html).

If you plan to use the IAM Identity Center directory as your identity source, and want a quick setup, you can skip this topic and go to [Create a Transfer Family web app](webapp-configure.md#web-app-create) to create an IAM Identity Center instance from the wizard.

**To configure AWS IAM Identity Center for use with Transfer Family web apps**

1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).

1. You can create and use either an account instance or an organization instance of AWS IAM Identity Center.
   + For details about account instances, see [Create an account instance of AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/create-account-instance.html). With an account instance of IAM Identity Center, you can deploy supported AWS managed applications and OpenID Connect (OIDC)-based customer managed applications. Account instances support isolated deployments of applications in a single AWS account, leveraging IAM Identity Center workforce identity and access portal features.
   + For details about organization instances, see [Organization instances of IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html). You can centrally manage the access of users and groups with a single organization instance.

1. On the IAM Identity Center **Settings** page, note down your Instance ARN. You will need this value when you create an **Amazon S3 Access Grant** instance.  
![\[Console screenshot from AWS IAM Identity Center showing the Settings page with the Instance ARN circled.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-identity-center.png)

1. Create one or more users and, optionally, groups, to use with your Transfer Family web app. If you're using an IAM Identity Center directory as your identity provider, you can also add users directly from the web app itself. For more information, see [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).

# Configure IAM roles for Transfer Family web apps
<a name="webapp-roles"></a>

You will need two roles: one to use as an identity bearer role for your web app, and a second to use for configuring an access grant. An identity bearer role is a role that includes an authenticated user's identity in its sessions. It's used to make requests to S3 Access Grants for data access on behalf of the user.

**Note**  
You can skip the procedure for creating an identity bearer role. For information about having the Transfer Family service create the identity bearer role, see [Create a Transfer Family web app](webapp-configure.md#web-app-create).  
You can skip the procedure for creating an access grants role. In the procedure for creating an access grant, in the step where you register an S3 location, choose **Create new role**. 

**Create an identity bearer role**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Roles**, and then **Create role**.

1. Choose **Custom trust policy** and then paste in the following code.

   ```
   {
       "Version": "2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service":"transfer.amazonaws.com"
               },
               "Action": [
                   "sts:AssumeRole",
                   "sts:SetContext"
               ]
           }
       ]
   }
   ```

1. Choose **Next** and then skip **Add permissions** and select **Next** again.

1. Enter a name, for example `web-app-identity-bearer`.

1. Choose **Create role** to create the identity bearer role.

1. Choose the role that you just created from the list, then in the **Permissions policies** panel, choose **Add permissions** > **Create inline policy**.

1. In the **Policy editor**, select **JSON** and then paste in the following code block.

   ```
   {
       "Version": "2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "s3:GetDataAccess",
                   "s3:ListCallerAccessGrants",
                   "s3:ListAccessGrantsInstances"
               ],
               "Resource": "*"
           }
       ]
   }
   ```

1. For the policy name, enter `AllowS3AccessGrants`, and then select **Create policy**.

Next, you create the role that S3 Access Grants assumes to vend temporary credentials to the grantee.

**Note**  
If you allow the service to create the identity bearer role for you, that role sets confused deputy protection. Therefore, its code is different from what is displayed here.

**Create an access grants role**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. Choose **Roles**, and then **Create role**. This role should have permission to access your S3 data in the AWS Region.

1. Choose **Custom trust policy**, and then paste in the following code.

   ```
   {
       "Version": "2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "access-grants.s3.amazonaws.com"
               },
               "Action": [
                   "sts:AssumeRole",
                   "sts:SetContext"
               ]
           }
       ]
   }
   ```

1. Choose **Next** add a minimal policy as described in [Register a location](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-location-register.html). While not recommended, you can add the **AmazonS3FullAccess** managed policy, which may be too permissive for your needs.

1. Choose **Next**, and enter a name (for example `access-grants-location`).

1. Choose **Create role** to create the role.

**Note**  
If you allow the service to create the access grants role for you, that role sets confused deputy protection. Therefore, its code is different from what is displayed here.

# Configure a Transfer Family web app
<a name="webapp-configure"></a>

This section describes the procedures for creating a Transfer Family web app. To assign users and groups that can use it, see [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).

**Note**  
Repeat these procedures to add additional web apps. You can reuse the IAM roles that you created earlier. Make sure to add the access endpoints for the new web apps to each bucket's Cross-origin resource sharing (CORS) policy.

## Create a Transfer Family web app
<a name="web-app-create"></a>

**Note**  
If you are not using the IAM Identity Center directory for your identity provider, don't attempt to create a web app until you have already set up IAM Identity Center and configured a third party identity provider, as described in [Configure your identity provider for Transfer Family web apps](webapp-identity-center.md).

Complete the following steps to create a Transfer Family web app.

**To create a Transfer Family web app**

1. Sign in to the AWS Management Console and open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).

1. In the left navigation pane, choose **Web apps**.

1. Choose **Create web app**.

   For authentication access, the pane is populated as follows.
   + If you have already created either an organization or account instance in AWS IAM Identity Center, then you see this message: **Your AWS Transfer Family application connected to an account instance of IAM Identity Center**.
   + If you already have an account instance and are a member of an organization instance, you have the option to choose which instance to connect.
   + If you don't already have an account instance, or are a member in an organization instance, you're presented with the options to create an account instance.

1. For **Endpoint type**, choose the **Publicly accessible** endpoint type. For a **VPC hosted** endpoint, see [Create a Transfer Family web app in a VPC](create-webapp-in-vpc.md).

1. In the **Permission type** pane, you can use a previously created role, or have the service create one for you.
   + If you have already created an identity bearer role, choose **Use an existing role** and choose your role from the **Select an existing role** menu.
   + To have the service create a role for you, choose **Create and use a new service role**.

1. In the **Web app units** pane, choose a value. One web app unit allows web app activity from up to 250 unique sessions. When creating a web app, you provision how many units you need based on your expected peak workload volumes. Changing your web app units has an impact on your billing. For information about pricing, see [AWS Transfer Family Pricing](https://aws.amazon.com/aws-transfer-family/pricing).

1. If you are using Transfer Family in an AWS GovCloud (US) Region, you can select the **FIPS Enabled endpoint** checkbox in the **FIPS Enabled** pane. For all other AWS Regions, this option is unavailable.

1. (Optional) Add a tag to help you organize your web apps. We suggest that you add a tag with **Name** as the key and a descriptive name as the value.

1. Choose **Next**. On this screen, you can optionally provide a title for your web app. If you don't provide a title, the default title of **Transfer Web App** is supplied. You can also upload image files for your logo and favicon.

1. Choose **Next**, then choose **Create web app**.

![\[Screen that shows the Web apps dashboard as well as the menu item for selecting it from the left navigation panel.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-transfer-dashboard.png)


**Note**  
Make sure to set up a Cross-origin resource sharing (CORS) policy for all of the buckets that are accessed from the web app endpoint.

## IP addressing
<a name="webapp-ip-addressing"></a>

Transfer Family web apps use dual-stack endpoints, supporting both IPv4 and IPv6 connectivity. For authentication, web apps use AWS IAM Identity Center, which also supports IPv6 through dual-stack endpoints.

If your account had web apps in a Region when dual-stack IAM Identity Center endpoint support launched, all web apps in that account and Region continue to use the IPv4-only IAM Identity Center endpoint for backwards compatibility. This applies to both existing and newly created web apps. Accounts that did not have web apps at the time of launch use the IAM Identity Center dual-stack endpoint. If you need to change which IAM Identity Center endpoint your web app uses, contact AWS Support.

**Note**  
To determine which endpoint your web app uses, inspect the URL when you are redirected to the IAM Identity Center sign-in page:  
IPv4-only: `[Region].signin.aws.amazon.com`
Dual-stack: `[Region].sso.signin.aws`

If your organization uses firewalls or network gateways, allowlist both the existing IPv4 and the new dual-stack IAM Identity Center endpoints to ensure uninterrupted access regardless of which endpoint your web apps use. For the full list of domains and URL endpoints to allowlist, see [Update firewalls and gateways to allow access to the AWS access portal](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center-portal-access.html) in the *IAM Identity Center User Guide*.

# Create a Transfer Family web app in a VPC
<a name="create-webapp-in-vpc"></a>

This section describes the procedures for creating a Transfer Family web app in a VPC. You can host your web app's endpoint inside a virtual private cloud (VPC) to use for transferring data to and from an Amazon S3 bucket without going over the public internet. To assign users and groups that can use your web app, see [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).

**Note**  
To ensure a private end-to-end data flow when using a Transfer Family web app VPC endpoint, you must implement three additional components. First, set up a PrivateLink endpoint for Amazon S3 Control API operations, which is necessary for Amazon S3 Access Grants API calls. Second, configure an endpoint for Amazon S3 data access using either a PrivateLink Amazon S3 Gateway endpoint (for traffic from within your VPC) or an Amazon S3 Interface endpoint (for traffic from on-premises networks via VPN or Direct Connect). Third, lock down your Amazon S3 bucket access by updating the bucket policies to only permit traffic from these VPC endpoints. This combination ensures all data transfers remain within your private network infrastructure and never traverse the public internet.

## Create a Transfer Family web app
<a name="webapp-vpce-create"></a>

**Prerequisites**
+ AWS IAM Identity Center set up with configured identity provider. See [Configure your identity provider for Transfer Family web apps](webapp-identity-center.md).
+ VPC and networking components set up. See [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources).
+ API endpoint set up for Amazon S3 Control operations. See [Accessing Amazon S3 interface endpoints](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#s3-creating-vpc).
+ VPC endpoints for Amazon S3 (Gateway or Interface) set up. See [Types of VPC endpoints for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3). If you’re using an interface endpoint, you must enable private DNS. For an example, see [Introducing private DNS support for Amazon S3 with AWS PrivateLink](https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/).

**Note**  
AWS IAM Identity Center does not support VPC endpoints; all authentication requests transit the public internet. Additionally, Transfer Family web applications require internet access to load static content (such as JavaScript, CSS, and HTML files). The requirements for public internet access are separate from data access. Your VPC endpoint ensures that connections are routed through your VPC infrastructure.

**To create a Transfer Family web app**

1. Sign in to the AWS Management Console and open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/).

1. In the left navigation pane, choose **Web apps**.

1. Choose **Create web app**. For authentication access, the pane is populated as follows.
   + If you have already created either an organization or account instance in AWS IAM Identity Center, then you see this message: **Your AWS Transfer Family application connected to an account instance of IAM Identity Center**.
   + If you already have an account instance and are a member of an organization instance, you have the option to choose which instance to connect.
   + If you don't already have an account instance, or are a member in an organization instance, you're presented with the options to create an account instance.

1. In the **Endpoint configuration** section, choose how your users will access your web app:
   + **Publicly accessible**: Your web app endpoint is accessible over the public via HTTPS. This option does not require any VPC configuration, making it straightforward to set up and suitable for applications intended for wide public use.
   + **VPC hosted**: Your web app endpoint is hosted within your Virtual Private Cloud (VPC), providing private network access through your VPC network, AWS Direct Connect, or VPN connections. This option offers enhanced security through network isolation and is recommended for internal applications.
**Note**  
You must have a dual-stack VPC configuration. For more information, see [Example dual-stack VPC configuration](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6-example.html) in the *Amazon Virtual Private Cloud User Guide*. 

     When configuring a VPC hosted endpoint, you'll need to specify:
     + **VPC**: Select an existing VPC or create a new one. A **Create a VPC** button is available.
     + **Availability zones**: Choose the availability zones where your endpoint will be deployed.
     + **Subnets**: Select subnets within each chosen availability zone.
     + **Security groups**: Select or create security groups to control access based on source IP addresses. If not specified, the VPC's default security group is used. Manage security groups through the VPC Console. Configure your VPC security groups to allow inbound traffic from your network over HTTPS on TCP port 443. This is required for IAM Identity Center authentication and web app static content loading. 
**Note**  
The access endpoint cannot be customized for VPC endpoints. To add a custom URL, use the public endpoint.

## Post-creation steps
<a name="webapp-vpce-post-creation"></a>
+ Make sure to set up a Cross-origin resource sharing (CORS) policy for all of the buckets that are accessed from the web app endpoint. See [Cross-origin resource sharing (CORS) policy](#webapp-vpce-cors).
+ Update your bucket policy to allow traffic only originating from your VPC through your VPC endpoint. See [Restricting access to a specific VPC endpoint](#webapp-vpce-bucket-policy).
+ Assign or add users or groups to Transfer Family web app. See [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).

## Cross-origin resource sharing (CORS) policy
<a name="webapp-vpce-cors"></a>

You must set up cross-origin resource sharing (CORS) for all buckets that are used by your web app. For more information about CORS, see [Set up Cross-origin resource sharing (CORS) for your bucket](access-grant-cors.md).

**Important**  
Before using the following example policy, replace the Allowed Origin with your access endpoint. Otherwise, your end users will receive an error when they attempt to access a location on your web app.

**Example policy:**

```
[
  {
    "AllowedHeaders": [
      "*"
    ],
    "AllowedMethods": [
      "GET",
      "PUT",
      "POST",
      "DELETE",
      "HEAD"
    ],
    "AllowedOrigins": [
      "https://vpce-1234567-example.vpce-mq.transfer-webapp.us-east-1.on.aws"
    ],
    "ExposeHeaders": [
      "last-modified",
      "content-length",
      "etag",
      "x-amz-version-id",
      "content-type",
      "x-amz-request-id",
      "x-amz-id-2",
      "date",
      "x-amz-cf-id",
      "x-amz-storage-class",
      "access-control-expose-headers"
    ],
    "MaxAgeSeconds": 3000
  }
]
```

## Restricting access to a specific VPC endpoint
<a name="webapp-vpce-bucket-policy"></a>

The following is an example of an Amazon S3 bucket policy that restricts access to a specific bucket, `amzn-s3-demo-bucket`, only from the VPC endpoint with the ID `vpce-1a2b3c4d`. If the specified endpoint is not used, the policy denies all access to the bucket. The `aws:SourceVpce` condition specifies the endpoint. The `aws:SourceVpce` condition doesn't require an ARN for the VPC endpoint resource, only the VPC endpoint ID. For more information about updating your bucket policy to only allow traffic originating from your VPC, see [Controlling access from VPC endpoints with bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html). For more information about using conditions in a policy, see [Bucket policy examples using condition keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/amazon-s3-policy-keys.html). As a pre-requisite to applying this policy, you should create an [Amazon S3 VPC endpoint](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html).

**Important**  
Before using the following example policy, replace the VPC endpoint ID with an appropriate value for your use case. Otherwise, you won't be able to access your bucket.

```
{
  "Version":"2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPCE-only",
      "Principal": "*",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket",
                   "arn:aws:s3:::amzn-s3-demo-bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpce": "vpce-1a2b3c4d"
        }
      }
    }
  ]
}
```

# Assign or add users or groups to a Transfer Family web app
<a name="webapp-add-users"></a>

After you create a Transfer Family web app, you can assign users and groups who can then access the web app. You can either retrieve users that are already created and stored in IAM Identity Center, or you can [add new users directly](https://docs.aws.amazon.com/singlesignon/latest/userguide/addusers.html) (if you're using an IAM Identity Center directory as your identity provider). If you add new users, they are also added to your IAM Identity Center instance.

Note the following:
+ You can only add new users if you are using the IAM Identity Center directory as your identity source and have the proper permissions. If you are a member of an organization instance, you might not have the necessary permissions to add users.
**Note**  
If you don't assign users or groups to your application, your users will get an error when they attempt to log into your web app.
+ If you create a new user, you must also create an S3 access grant for this user so that they can access data on your web app.
+ After you create a new user, that user receives an onboarding email from IAM Identity Center with directions for how to proceed.

**To assign users to a Transfer Family web app**

1. Navigate to your web app list, and choose the one that you want to edit.

1. Choose **Assign users and groups**.  
![\[Screen showing the details for a selected web app.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-transfer-details.png)

1. To assign users that you previously created in IAM Identity Center, select **Assign existing users and groups**. To create new users, skip ahead to step 4.

   1. An information screen appears. Choose **Get started** to continue.

   1. Search for the user. Note that no users appear until you begin entering your search criteria. You must search by the *display name*, not the *username*, if different. Only exact matches are returned. If you can't find your user, navigate to the IAM Identity Center management console, find the user, then copy and paste their display name here.  
![\[Screen showing the search dialog for adding users and groups to your web app.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-transfer-add-user.png)

   1. Choose the users and groups to add, then choose **Assign**.

1. To create a new user, select **Add and assign new users**.

   1. An information screen appears. Choose **Get started** to continue.

   1. Choose **Add new users**.

   1. Enter the following user details into the dialog box: username, first and last name, and an email address.   
![\[Screen showing the Add new users dialog.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-transfer-add-user-new.png)

   1. Choose **Next**, then choose **Add** to add the user and close the dialog box, or **Add new user** to create another user.

# Set up Cross-origin resource sharing (CORS) for your bucket
<a name="access-grant-cors"></a>

You must set up cross-origin resource sharing (CORS) for all buckets that are used by your web app. A *CORS configuration* is a document that defines rules that identify the origins that you will allow to access your bucket. For more information about CORS, see [Configuring cross-origin resource sharing (CORS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enabling-cors-examples.html?icmpid=docs_amazons3_console).

**Important**  
If you don't set up CORS, your end users receive an error when they attempt to access a location on your web app.

**To set up Cross-origin resource sharing (CORS) for your Amazon S3 bucket**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Choose **Buckets** from the left navigation panel and search for your bucket in the search dialog, then choose the **Permissions** tab.

1. In **Cross-origin resource sharing (CORS)**, choose **Edit** and paste in the following code. Replace *WebAppEndpoint* with the actual access endpoint for your web app. This can be either the VPC hosted or public access endpoint that's created when the web app is created, or a custom access endpoint, if you create one. Make sure not to enter trailing slashes, because doing so causes errors when users attempt to log on to your web app.
   + Incorrect example: `https://webapp-c7bf3423.transfer-webapp.us-east-2.on.aws/`
   + Correct examples:
     + `https://webapp-c7bf3423.transfer-webapp.us-east-2.on.aws`
     + `https://vpce-05668789767a-fh45z079.vpce-mq.transfer-webapp.us-east-1.on.aws`

   If you are reusing a bucket for multiple web apps, append their endpoints to the `AllowedOrigins` list.

   ```
   [
     {
       "AllowedHeaders": [
         "*"
       ],
       "AllowedMethods": [
         "GET",
         "PUT",
         "POST",
         "DELETE",
         "HEAD"
       ],
       "AllowedOrigins": [
         "https://WebAppEndpoint"
       ],
       "ExposeHeaders": [
         "last-modified",
          "content-length",
         "etag",
         "x-amz-version-id",
         "content-type",
         "x-amz-request-id",
         "x-amz-id-2",
         "date",
         "x-amz-cf-id",
         "x-amz-storage-class",
         "access-control-expose-headers"
        ],
       "MaxAgeSeconds": 3000
     }
   ]
   ```

1.  Choose **Save changes** to update the CORS.

To test your CORS configuration, see [Testing CORS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/testing-cors.html).

# Configure Amazon S3 Access Grants for Transfer Family web apps
<a name="webapp-access-grant"></a>

This topic describes how to add an access grant using Amazon S3 Access Grants. This access grant defines access to your data directly to your users and groups in your corporate directory and vends just-in-time, least privilege, temporary credentials based on grants. An individual grant in an S3 Access Grants instance allows a specific user or group in a corporate directory—to get access within a location that is registered in your S3 Access Grants instance. For more details, see [S3 Access Grants concepts](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-concepts.html) in the Amazon S3 User Guide.

**Note**  
You can't use the IAM Identity Center directory with S3 Access Grants other than with Transfer Family web apps.

You must specify an Amazon S3 access grant for identity propagation. An Amazon S3 access grant stores the data that your end users must access. When your end users sign in to your Transfer Family web app, S3 Access Grants passes a user's identity to the trusted application. This section describes how to add and configure an Amazon S3 access grant instance and then an access grant for an Amazon S3 bucket.

**Note**  
Have your [IAM Identity Center instance ARN](webapp-identity-center.md#identity-center-arn) and user or group ID ready, as you need them to complete setting up your access grant.

**To create a grant using Amazon S3 Access Grants**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Create a bucket, or note an existing bucket to use with your web app. For information on creating buckets, see the [Amazon S3 User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/).

1. From the left navigation pane, choose **Access Grants**.

1. Choose **Create S3 Access Grants instance** and provide the following information.
   + Select **Add IAM Identity Center instance in *your-Region*** where *your-Region* is your AWS Region. Keep this box cleared if you are not using IAM Identity Center as your identity provider.
   + Paste in your IAM Identity Center instance ARN.  
![\[Screen showing the Amazon S3 Create Access Grants instance dialog with example values.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-grants-instance.png)

   Choose **Next** to continue.

1. **Register S3 Buckets or prefixes as locations**. We recommend that you register the default location, `s3://`, and map it to an IAM role. The location at this default path covers access to all of your Amazon S3 buckets in the AWS Region of your account. When you create an access grant, you can narrow the scope to a bucket, a prefix, or an object within the default location.

   Provide the following information. 
   + For the **Scope**, browse for a bucket or enter the name of your bucket, and optionally a prefix.
   + For the IAM role, choose **Create new role** to have the service create a role.

     Alternatively, you can create the role yourself, as described in [Configure IAM roles for Transfer Family web apps](webapp-roles.md), and then enter its ARN here.   
![\[Screen showing the Amazon S3 Register S3 Buckets or prefixes as locations dialog with default Scope and Create new role settings.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-grants-register-new.png)

   Choose **Next** to continue.

1. In the **Create Grant** screen, provide the following details.
   + For **Permissions**, select **Read** and **Write**. The access grant permissions can be either read-only or read & write, but write-only is not supported.
   + For **Grantee type**, choose **Directory identity from IAM Identity Center**.
   + For **Directory identity type**, select **User** or **Group**, depending on which type you want to register now.
   + In **IAM Identity Center user/group ID**, paste in the ID for your user or group. This ID is available in the **IAM Identity Center** console and in your Transfer Family web app in your users and groups table.  
![\[Screen showing the Amazon S3 Create Grant dialog with example values.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-access-grant-details.png)

   Choose **Next**.

1. Review the settings on the screen. If everything is correct, choose **Finish** to create the access grant. Alternatively, you can choose **Cancel** or **Previous** to make changes.  
![\[Screen showing the Review and finish dialog with example values.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-access-grants-review.png)

![\[Screen showing the new access grant in a list view.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-access-grants-finished.png)


This completes the setup for your web app. The users and groups that you've configured can visit the web app at the access point, log in, and upload and download files.

# Update your access endpoint with a custom URL
<a name="webapp-customize"></a>

The default access endpoint that is created with your web app contains service-generated identifiers. To provide a branded experience, you may want to provide a custom URL for your users to access your Transfer Family web app. This topic describes how to update your access endpoint with a custom URL.

**Note**  
The access endpoint cannot be customized for VPC endpoints. To add a custom URL, use the public endpoint.

**Note**  
The following procedure relies on you using the recommended [CloudFormation stack template](https://s3.amazonaws.com/aws-transfer-resources/custom-domain-templates/aws-transfer-web-app-custom-domain-distribution.template.yml). You don't need to use the template: you can create the distribution by using the [CloudFront console](https://console.aws.amazon.com/cloudfront/v4/home) directly.  
However, the provided template simplifies the process, and makes it easier to avoid misconfiguration. If you don't use the CloudFormation template, make sure to follow these guidelines:  
The [Origin request policy](https://docs.aws.amazon.com//AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-cors-custom) should forward query strings and cookies to the origin, and should not forward the `Host` header to the origin.
The [Cache policy](https://docs.aws.amazon.com//AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-origin-cache-headers) should not include the `Host` header in the cache key.

**To customize your web app URL**

1. Create a CloudFront distribution by using the Transfer Family supplied AWS CloudFormation template, [CloudFormation stack template](https://s3.amazonaws.com/aws-transfer-resources/custom-domain-templates/aws-transfer-web-app-custom-domain-distribution.template.yml).

   1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

   1. Choose **Create stack** and specify the following.
      + In the **Prerequisite - Prepare template** section, choose **Choose an existing template**.
      + In the **Specify template** section, choose **Upload a template file**.
      + Save the [CloudFormation stack template]( https://s3.amazonaws.com/aws-transfer-resources/custom-domain-templates/aws-transfer-web-app-custom-domain-distribution.template.yml) file, and then upload it here.

   1. Choose **Next** and provide the following information.
      + **WebAppEndpoint**: copy the value from your web app
      + **AccessEndpoint**: provide the custom domain name that you want to use
      + **AcmCertificateArn**: provide the ARN for a public or private SSL/TLS certificate that is stored in AWS Certificate Manager 

   1. Complete the CloudFormation wizard until your new stack is created.

1. In your web app, edit the **Access endpoint**, updating the **Custom URL** to the URL that you want to use.  
![\[Screen showing a custom access endpoint for a Transfer Family web app.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-custom-name.png)

1. Create DNS records to route traffic for your custom domain name to the CloudFront distribution. If you're using Route 53 for the zone, you can create an Alias or CNAME record to the CloudFront distribution name (for example, **xxxx.cloudfront.net**). For information about using Amazon Route 53 with CloudFront, see [Configuring Amazon Route 53 to route traffic to a CloudFront distribution](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html#routing-to-cloudfront-distribution-config).

1. Update your cross-origin resource sharing policy by replacing the default access endpoint with the following line in the `AllowedOrigins` code block:

   ```
    "https://custom-url"
   ```

   You need to make this change for each bucket used by your web app.

   After you make your update, the `AllowedOrigins` section of your CORS policy should look like the following:

   ```
   "AllowedOrigins": [
       "https://custom-url"],
   ```

   You need only a single AllowedOrigins entry for each Transfer Family web app.

   See the [Set up Cross-origin resource sharing (CORS) for your Amazon S3 bucket](access-grant-cors.md#cors-configure) procedure for more details.

You can now visit your custom access endpoint, and share this link with your end users.

# CloudTrail logging for Transfer Family web apps
<a name="webapp-cloudtrail"></a>

CloudTrail is an AWS service that creates a record of actions taken within your AWS account. It continuously monitors and records API operations for activities like console sign-ins, AWS Command Line Interface commands, and SDK/API operations. This allows you to keep a log of who took what action, when, and from where. CloudTrail helps with auditing, access management, and regulatory compliance by providing a history of all activity in your AWS environment.

For Transfer Family web apps, you can track both authentication events and data access operations performed by your users. To enable comprehensive logging, you need to:

1. Configure CloudTrail to log management events for tracking authentication activities.

1. Enable Amazon S3 data events to track file operations performed through your web app.

**See also**
+ [CloudTrail use cases for IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-cloudtrail-use-cases.html)
+ [Understanding IAM Identity Center sign-in events](https://docs.aws.amazon.com/singlesignon/latest/userguide/understanding-sign-in-events.html)
+ [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html)
+ [Enabling CloudTrail event logging for S3 buckets and objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html)
+ [Amazon S3 CloudTrail events](https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html)

## Enabling Amazon S3 data events
<a name="webapp-enable-s3-data-events"></a>

To track file operations performed through Transfer Family web apps on your Amazon S3 buckets, you need to enable data events for those buckets. Data events provide object-level API activity and are particularly useful for tracking file uploads, downloads, and other operations performed by web app users.

To enable Amazon S3 data events for your Transfer Family web app:

1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the navigation pane, choose **Trails**, and then select an existing trail or create a new one.

1. Under **Advanced event selectors**, choose **Edit**.

1. Choose **Add advanced event selector**.

1. For the first field selector:
   + Set **Field** to `eventCategory`
   + Set **Operator** to **Equals**
   + Set **Value** to `Data`

1. Choose **Add field** and for the second field selector:
   + Set **Field** to `resources.type`
   + Set **Operator** to **Equals**
   + Set **Value** to `AWS::S3::Object`

1. (Optional) To log events for specific buckets only, choose **Add field** and add:
   + Set **Field** to `resources.ARN`
   + Set **Operator** to **Starts with**
   + Set **Value** to `arn:aws:s3:::your-bucket-name/`

1. Choose **Save changes**.

Alternatively, you can use the legacy data events configuration:

1. Under **Data events**, choose **Edit**.

1. For **Data event type**, select **S3 bucket and object events**.

1. Choose the Amazon S3 buckets to log data events for. You can select **All current and future S3 buckets** or specify individual buckets.

1. Choose whether to log **Read** events, **Write** events, or both.

1. Choose **Save changes**.

After enabling data events, you can access these logs in the Amazon S3 bucket configured for CloudTrail. The logs include details such as the user who performed the action, the action timestamp, the specific object affected, and the `onBehalfOf` field that helps trace the `userId` for actions performed through Transfer Family web apps.

### Finding and viewing your logs
<a name="webapp-find-view-logs"></a>

There are several ways to find and view CloudTrail logs for your Transfer Family web app:

#### Using the CloudTrail console
<a name="webapp-find-logs-console"></a>

The fastest way to view recent events:

1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. Choose **Event history**.

1. Filter events by:
   + **Event source**: `signin.amazonaws.com` for web app events
   + **Event source**: `s3.amazonaws.com` for file operations

1. Click any event to view detailed information.

#### Accessing logs in Amazon S3
<a name="webapp-find-logs-s3"></a>

To access the complete log files stored in Amazon S3:

1. Identify your CloudTrail trail's Amazon S3 bucket:

   ```
   aws cloudtrail describe-trails --query 'trailList[*].[Name,S3BucketName]' --output table
   ```

1. Navigate to the log files in Amazon S3:

   ```
   aws s3 ls s3://your-cloudtrail-bucket/AWSLogs/account-id/CloudTrail/region/YYYY/MM/DD/
   ```

1. Download and search log files for your web app ID:

   ```
   aws s3 cp s3://your-cloudtrail-bucket/AWSLogs/account-id/CloudTrail/region/YYYY/MM/DD/ . --recursive
   gunzip *.json.gz
   grep -l "webapp-1a2b3c4d5e6f7g8h9" *.json
   ```

#### Using AWS CLI to search events
<a name="webapp-find-logs-cli"></a>

Search for specific web app events using the AWS CLI:

```
aws logs filter-log-events \
  --log-group-name /aws/cloudtrail/your-trail-name \
  --filter-pattern "webapp-1a2b3c4d5e6f7g8h9" \
  --start-time $(date -d "1 day ago" +%s)000
```

Or search for authentication events:

```
aws logs filter-log-events \
  --log-group-name /aws/cloudtrail/your-trail-name \
  --filter-pattern "UserAuthentication" \
  --start-time $(date -d "1 day ago" +%s)000
```

## Authentication log examples
<a name="webapp-authentication-log-examples"></a>

CloudTrail logs authentication events for Transfer Family web apps, which can help you track successful and failed sign-in attempts. These logs are particularly useful for security monitoring and compliance purposes.

**Topics**
+ [Example log entry for credential verification](#webapp-credential-verification-example)
+ [Example log entry for sign-in authentication](#webapp-signin-authentication-example)
+ [Example log entry for ListCallerAccessGrants](#webapp-list-caller-access-grants-example)
+ [Example log entry for GetDataAccess event](#webapp-get-data-access-example)

### Example log entry for credential verification
<a name="webapp-credential-verification-example"></a>

The following example shows a CloudTrail log entry for a credential verification event that occurs during the authentication process.

```
{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "123456789012",
        "arn": "",
        "accountId": "123456789012",
        "accessKeyId": "",
        "userName": "demo-user-2",
        "onBehalfOf": {
            "userId": "f12bb510-a011-702f-10dd-5607e2776dbc",
            "identityStoreArn": "arn:aws:identitystore::123456789012:identitystore/d-9a670c546e"
        },
        "credentialId": "58138a11-87e5-401d-8f0b-7161c9389112"
    },
    "eventTime": "2025-08-08T15:29:30Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "CredentialVerification",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "192.0.2.224",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "AuthWorkflowID": "f304a48b-7b6d-41c8-b136-4f49c91c1f31",
        "CredentialType": "PASSWORD"
    },
    "requestID": "ff936828-4a81-453c-802d-81368b6bca1a",
    "eventID": "70cb7008-493d-42c2-a9eb-38bf168af6a8",
    "readOnly": false,
    "eventType": "AWSServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "123456789012",
    "serviceEventDetails": {
        "CredentialVerification": "Success"
    },
    "eventCategory": "Management"
}
```

This event provides additional detail about the credential verification step in the authentication process, showing the specific credential ID and authentication workflow ID used.

### Example log entry for sign-in authentication
<a name="webapp-signin-authentication-example"></a>

The following example shows a CloudTrail log entry for a successful user authentication event during web app sign-in using IAM Identity Center.

```
{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "Unknown",
        "principalId": "123456789012",
        "arn": "",
        "accountId": "123456789012",
        "accessKeyId": "",
        "userName": "demo-user-2",
        "onBehalfOf": {
            "userId": "f12bb510-a011-702f-10dd-5607e2776dbc",
            "identityStoreArn": "arn:aws:identitystore::123456789012:identitystore/d-9a670c546e"
        },
        "credentialId": "b41f0a02-1635-4d07-a414-aecf9e14b906"
    },
    "eventTime": "2025-08-07T14:09:07Z",
    "eventSource": "signin.amazonaws.com",
    "eventName": "UserAuthentication",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "192.0.2.14",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36",
    "requestParameters": null,
    "responseElements": null,
    "additionalEventData": {
        "AuthWorkflowID": "7a4ef12c-7c4b-4bc3-b5bd-c2469afcc795",
        "LoginTo": "https://example.awsapps.com/start/",
        "CredentialType": "PASSWORD"
    },
    "requestID": "fc91bcf0-ac53-4454-a1a0-fb911eacc095",
    "eventID": "18522007-1e60-4a71-b2b5-150baf504ab3",
    "readOnly": false,
    "eventType": "AWSServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "123456789012",
    "serviceEventDetails": {
        "UserAuthentication": "Success"
    },
    "eventCategory": "Management"
}
```

In this example, note the following important fields:
+ `eventSource`: Shows "signin.amazonaws.com", indicating this is an IAM Identity Center authentication event.
+ `userIdentity.onBehalfOf`: Contains the user ID and identity store ARN for the web app user.
+ `additionalEventData.LoginTo`: Shows the IAM Identity Center application URL being accessed.
+ `additionalEventData.CredentialType`: Indicates the authentication method used (PASSWORD).
+ `serviceEventDetails`: Shows the authentication result (Success).

### Example log entry for ListCallerAccessGrants
<a name="webapp-list-caller-access-grants-example"></a>

The following example shows a CloudTrail log entry for a ListCallerAccessGrants event, which occurs when Transfer Family web app queries available access grants for a user.

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROAEXAMPLEID:aws-transfer",
        "arn": "arn:aws:sts::123456789012:assumed-role/AWSTransferWebAppIdentityBearer-us-east-2/aws-transfer",
        "accountId": "123456789012",
        "accessKeyId": "ASIAEXAMPLEKEY",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROAEXAMPLEID",
                "arn": "arn:aws:iam::123456789012:role/service-role/AWSTransferWebAppIdentityBearer-us-east-2",
                "accountId": "123456789012",
                "userName": "AWSTransferWebAppIdentityBearer-us-east-2"
            },
            "attributes": {
                "creationDate": "2025-08-08T15:29:34Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "transfer.amazonaws.com",
        "onBehalfOf": {
            "userId": "f12bb510-a011-702f-10dd-5607e2776dbc",
            "identityStoreArn": "arn:aws:identitystore::123456789012:identitystore/d-9a670c546e"
        }
    },
    "eventTime": "2025-08-08T15:29:35Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "ListCallerAccessGrants",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "transfer.amazonaws.com",
    "userAgent": "transfer.amazonaws.com",
    "requestParameters": {
        "Host": "123456789012.s3-control.dualstack.us-east-2.amazonaws.com",
        "allowedByApplication": "true",
        "maxResults": "100"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "TLS_AES_128_GCM_SHA256",
        "bytesTransferredIn": 0,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "1g34AaAELn/fntxwrifVsr41VDl8dp5ygWFasHJFNVq5FDCWYfX0ye7s4tWHEJC8ppI5lLePYLIcw3iTXAgn5Q==",
        "bytesTransferredOut": 462
    },
    "requestID": "48485MTZEDWT0ANT",
    "eventID": "3de5dd60-b7cf-474c-a1ab-631467c1a5c3",
    "readOnly": true,
    "resources": [
        {
            "accountId": "123456789012",
            "type": "AWS:S3::AccessGrantsInstance",
            "ARN": "arn:aws:s3:us-east-2:123456789012:access-grants/default"
        }
    ],
    "eventType": "AWSApiCall",
    "managementEvent": true,
    "recipientAccountId": "123456789012",
    "eventCategory": "Management"
}
```

In this example, note the following important fields:
+ `eventName`: Shows this is a ListCallerAccessGrants event, which queries available S3 access grants.
+ `requestParameters.allowedByApplication`: Indicates the query is filtered to grants allowed by the application.
+ `requestParameters.maxResults`: Shows the maximum number of grants to return in the response.
+ `userIdentity.onBehalfOf`: Links the request to the specific web app user.

This event helps track when Transfer Family web app queries what S3 resources a user has access to, providing visibility into access grant discovery operations.

### Example log entry for GetDataAccess event
<a name="webapp-get-data-access-example"></a>

The following example shows a CloudTrail log entry for a GetDataAccess event, which occurs when Transfer Family web app requests access permissions for S3 resources on behalf of a user.

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROASEQRAEABP7ADWEZA5:aws-transfer",
        "arn": "arn:aws:sts::123456789012:assumed-role/AWSTransferWebAppIdentityBearer-ap-southeast-1/aws-transfer",
        "accountId": "123456789012",
        "accessKeyId": "ASIAEXAMPLEKEY",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROASEQRAEABP7ADWEZA5",
                "arn": "arn:aws:iam::123456789012:role/service-role/AWSTransferWebAppIdentityBearer-ap-southeast-1",
                "accountId": "123456789012",
                "userName": "AWSTransferWebAppIdentityBearer-ap-southeast-1"
            },
            "attributes": {
                "creationDate": "2025-05-08T16:09:05Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "transfer.amazonaws.com",
        "onBehalfOf": {
            "identityStoreArn": "arn:aws:identitystore::123456789012:identitystore/d-9667b0da7a",
            "userId": "191a35ec-10a1-70c1-e4ab-e2802411e13e"
        }
    },
    "eventTime": "2025-05-08T16:10:25Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "GetDataAccess",
    "awsRegion": "ap-southeast-1",
    "sourceIPAddress": "transfer.amazonaws.com",
    "userAgent": "transfer.amazonaws.com",
    "requestParameters": {
        "Host": "123456789012.s3-control.dualstack.ap-southeast-1.amazonaws.com",
        "durationSeconds": 900,
        "permission": "READWRITE",
        "target": "s3://amzn-s3-demo-bucket/users/john.doe/documents/*"
    },
    "responseElements": null,
    "additionalEventData": {
        "AuthenticationMethod": "AuthHeader",
        "CipherSuite": "TLS_AES_128_GCM_SHA256",
        "SignatureVersion": "SigV4",
        "bytesTransferredIn": 0,
        "bytesTransferredOut": 2244,
        "x-amz-id-2": "8ce8sZOgNwsaj9w1mzagyA+csONjYl8FgEw4FGpE8DARi90aNC0RFWlTYNEn7ChqE9RCJrTzMvS+ru7Vz2xXHrkQt/1uQ9exZTZdlhX+/fM="
    },
    "requestID": "BXGSKKQXCWS5RAHB",
    "eventID": "c11db1d1-dfb8-431e-8625-48eba2ebadfe",
    "readOnly": true,
    "resources": [
        {
            "type": "AWS:S3::AccessGrantsInstance",
            "ARN": "arn:aws:s3:ap-southeast-1:123456789012:access-grants/default",
            "accountId": "123456789012"
        }
    ],
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "123456789012",
    "eventCategory": "Management"
}
```

In this example, note the following important fields:
+ `eventName`: Shows this is a GetDataAccess event, which occurs when Transfer Family requests access permissions for S3 resources.
+ `userIdentity.onBehalfOf`: Contains the identity store ARN and user ID, linking the access request to the specific web app user.
+ `requestParameters.target`: Shows the S3 path pattern for which access was requested.
+ `requestParameters.permission`: Indicates the type of access requested (READWRITE, READ, or WRITE).
+ `requestParameters.durationSeconds`: Shows how long the access grant is valid (typically 900 seconds/15 minutes).
+ `sourceIPAddress` and `userAgent`: Both show "transfer.amazonaws.com", indicating this is an internal service request.

GetDataAccess events are particularly useful for tracking when Transfer Family web app users are granted access to specific S3 resources, helping you monitor access patterns and ensure proper authorization.

## Viewing CloudTrail log entries
<a name="webapp-view-log-entries"></a>

There are several ways to view and analyze CloudTrail log entries for your Transfer Family web app:

### Using the CloudTrail console
<a name="webapp-view-logs-console"></a>

The CloudTrail console provides a user-friendly interface for viewing and filtering log entries:

1. Open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/).

1. In the navigation pane, choose **Event history**.

1. Use the filter options to narrow down the events:
   + Set **Event source** to `transfer.amazonaws.com` to view only Transfer Family events.
   + Filter by **Event name** to see specific operations like `UserAuthentication`.
   + Use **Time range** to focus on events within a specific period.

1. Click on any event to view its detailed information.

### Accessing logs in Amazon S3
<a name="webapp-view-logs-s3"></a>

If you've configured a CloudTrail trail to deliver logs to an Amazon S3 bucket, you can access the raw log files directly:

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Navigate to the bucket and prefix where your CloudTrail logs are stored.

1. The logs are organized by year, month, day, and region. Navigate to the appropriate directory.

1. Download and open the log files, which are in JSON format.

# Troubleshooting your web apps
<a name="webapp-troubleshooting"></a>

**Note**  
These troubleshooting tips are meant for the web app administrator rather than the end user. For end users, if you encounter any problems, contact your web app administrator. All instances of *you* in the following paragraphs refer to the web app admin.

## Troubleshoot network errors
<a name="webapp-network-error"></a>

**Description**

Your end user sees a network banner **Network Error** upon loading the web app endpoint.

**Cause**

The most common issues are as follows:
+ The admin did not assign the user that is attempting to log on to the new application.
+ The admin did not add the necessary actions to your IAM roles.
+ You see a list of S3 Access Grants assigned to your user, but CORS is not configured correctly for your Amazon S3 bucket or buckets.

 **Solution** 
+  In IAM Identity Center, make sure to assign the user to the correct application. Or, if you have a group assigned, make sure that the user attempting to log in belongs to the correct group. This is described in [Assign or add users or groups to a Transfer Family web app](webapp-add-users.md).
+ Check whether your roles contain the necessary actions in the **Custom trust policy** for both `sts:AssumeRole` and `sts:SetContext` actions. This is described in [Configure IAM roles for Transfer Family web apps](webapp-roles.md).
+ Check the CORS policy for all of the buckets used by your web app. This is described in [Set up Cross-origin resource sharing (CORS) for your Amazon S3 bucket](access-grant-cors.md#cors-configure).

## Troubleshoot configured bucket not appearing
<a name="webapp-no-bucket"></a>

**Description**

Everything appears to be configured correctly, but the Amazon S3 bucket doesn't appear in the web app.

**Cause**

One possible cause is that the Amazon S3 bucket is not in the same account as the web app.

 **Solution** 

Ensure that the Amazon S3 bucket is in the same account as the web app. Cross-account buckets are not currently supported.

## Troubleshoot custom URL errors
<a name="webapp-customURL-errors"></a>

**Description**

When your end user signs into the web app, they receive the error message **Authorization failed: missing authorization code.**

**Cause**

If you used CloudFront directly, rather than the supplied CloudFormation template, you have likely misconfigured the origin request policy to not forward query strings.

**Solution**

Update your origin request policy to forward query strings and cookies to the origin.

**Description**

When your end user attempts to access a Transfer Family web app, they receive a 404 response.

**Cause**

If you used CloudFront directly, rather than the supplied CloudFormation template, you have likely misconfigured the cache policy to include the `Host` header in the cache key or misconfigured the origin request policy to forward the `Host` header.

**Solution**
+ Make sure that your cache policy does not include the `Host` header in the cache key
+ Make sure that your origin request policy does not forward the `Host` header.

## Troubleshoot miscellaneous errors
<a name="webapp-various-errors"></a>

**Description**

Your end user cannot log in, or cannot view any buckets or files, or you receive another error.

**Cause**

One possible cause is that the IAM Identity Center instance ARN doesn't match the value for your grants ARN or your web app IAM Identity Center instance ARN.

 **Solution** 

Check the following items to see if they match.
+  In IAM Identity Center, navigate to **Settings** and view the **Instance ARN**.

  ```
  arn:aws:sso:::instance/ssoins-instance-identifier
  ```
+ In Amazon S3, navigate to **Access Grants** and view your **IAM Identity Center instance ARN**.

  ```
  arn:aws:sso::account-id:application/ssoins-instance-identifier/apl-1234567890abcdef0
  ```
+ In Transfer Family, navigate to your web app details page and view its Instance ARN.

  ```
  arn:aws:sso:::instance/ssoins-instance-identifier
  ```

The *instance-identifier* value must be the same in all three of these places.

## Duplicate S3 buckets appearing in web app
<a name="webapp-duplicate-buckets"></a>

**Description**

Users see the same S3 bucket listed multiple times in the Transfer Family web app interface.

**Cause**

This occurs when a user is part of multiple Active Directory groups that have duplicate grants to the same S3 bucket. The web app lists all top-level grants associated with the user (UID or GID) regardless of whether the user has multiple grants assigned to the same bucket location.

**Solution**

To resolve this issue, administrators should de-duplicate the grants so that each user has only one grant to each S3 location. Review your S3 Access Grants configuration and consolidate duplicate grants for the same bucket across different Active Directory groups.

# End user instructions for Transfer Family web apps
<a name="webapp-end-users"></a>

**Note**  
In this topic, the information is meant for the end users that are interacting with the web app. All instances of *you* in this topic refer to end users.

This topic describes how to access an AWS Transfer Family web app that you are authorized to use, and describes how you can interact with it.

## Web app quotas
<a name="end-user-quotas"></a>

Note the following limitations when using web apps.
+ Maximum number of search results per query: 10,000
+ The Amazon S3 buckets that are used by the Transfer Family web app must be in the same account as the web app itself. Cross-account buckets are not currently supported.
+ Maximum search breadth per query: 10,000 searched files
+ Maximum upload size per file: 160 GB (149 GiB)
+ Maximum size file for copying: 5.36 GB (5 GiB)
+ Folder names starting or ending with dots (.) are not supported

## User experience for IAM Identity Center users
<a name="end-user-identity-center"></a>

This section describes the user experience if your organization used IAM Identity Center to configure its users.

**To access a Transfer Family web app**

1. You should receive an email from **no-reply@login.awsapps.com** titled “Invitation to join AWS IAM Identity Center.” Accept the invitation to activate your user account.

1. In the message, choose the URL below **Your AWS access portal URL**.

   This takes you to the AWS sign in screen.  
![\[Screen showing the AWS sign-in screen.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-enduser-signin.png)

1. Enter your credentials and choose **Sign in**.

   This takes you to the AWS access portal, which shows a list of your available applications.

1. Choose the application for your Transfer Family web app.

## User experience for third-party identity provider users
<a name="end-user-3p"></a>

If your organization did not use AWS IAM Identity Center to configure its users, your onboarding experience will depend upon the identity provider application that they used to configure their end users. After you authenticate and sign in, your web app interface is the same as that described in the next section.

**Note**  
If a user belongs to multiple Active Directory groups that have grants to the same Amazon S3 bucket, the bucket appears multiple times in the web app interface. This occurs because the web app lists all top-level grants associated with the user's UID or GID, including duplicate grants to the same bucket. To prevent duplicate listings, administrators can consolidate multiple grants so that each user has only one grant per Amazon S3 location.

## Transfer Family end user interface
<a name="end-user-interface"></a>

After you have authenticated and signed in, you can interact with the web app.

There are four main views.
+ **Home page:** Your home page lists the S3 locations, which you can access, as well as the permissions for each. An S3 *location* is an S3 bucket or prefix, which you can define when using S3 Access Grants. This is the initial view for users that shows the root level S3 resources that your end users have access to and the permissions for each S3 location.  
![\[Screen showing the home location for a web app end user.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-enduser-home.png)
+ **Location details:** This view allows users to browse files and folders in S3, and upload or download files.
+ **Location action:** After you choose an action (such as **Upload**), it opens up another view of the file location.
+ **Vertical ellipsis:** The vertical ellipsis icon opens the **Actions** menu.

## Available actions
<a name="end-user-actions"></a>

Most of the actions are available from the **Actions** menu. For the other main action, downloading files, you use the download icon after you select a file (currently, you can only download one file at a time).

![\[Screen showing files and their corresponding download icons.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-enduser-download.png)


From a folder, use the **Actions** menu to perform any of the following tasks:
+ Copy one or more files to another location.
+ Create a folder.
+ Delete one or more files.
+ Upload one or more files.
+ Upload an entire folder (including subfolders if any).
+ Select a folder and navigate to it. You can then perform any of the previously listed actions.
+ Sort by page.
+ Filter by file or folder name per folder and subfolders.

![\[Screen showing an example folder for a web app end user.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/webapp-enduser-actions.png)