How to manage AWS Transfer Server host keys with CloudFormation

30 Dec, 2022
Xebia Background Header Wave

The AWS Transfer Server provides a SFTP as a service. If you want to migrate from an existing SFTP server, you can add your own host keys. Unfortunately, host keys are not supported with Cloudformation. This custom provider add host keys and allows you to define the set of active keys of the server.

Add transfer server host key

To add a Transfer Server host key in your AWS CloudFormation template, use the following syntax:

    Type: Custom::TransferServerHostKey
      ServerId: !GetAtt Server.ServerId
      HostKeyParameterName: !GetAtt HostKey.ParameterName
      Description: Generated by CloudFormation
      Version: !GetAtt HostKey.Hash
      ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'

This reads the key from the parameter /private-keys/sftp-server and adds it as a host key to the specified server. See Custom::TransferServerHostKey for details. You can generate a host key using the Custom::RSAKey. Alternatively, you can encrypt an existing key and add it into the parameter store using the Custom::Secret as EncryptedContent.

Define active transfer server host key set

When you add new host keys to a transfer server, they are not automatically active. If multiple keys are present, the Transfer Server uses the oldest key available. You explicitly need to activate the new key, by deleting the old key of the same type.

To define the set of active host keys, use the Custom::TransferServerActiveHostKeys as follows:

    Type: Custom::TransferServerActiveHostKeys
      ServerId: !GetAtt Server.ServerId
        - !GetAtt TransferServerHostKey.Fingerprint
      ServiceToken: !Sub 'arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-transfer-server-host-key-provider'

This ensures the server’s active host key set consists of the keys with the specified fingerprints. It deletes all other host keys associated with the server Make sure that you specify the fingerprints of all the keys you want to keep.


To install this custom resource provider, type:

aws cloudformation create-stack 
    --capabilities CAPABILITY_IAM 
    --stack-name cfn-transfer-server-host-key-provider 
    --template-url s3://

or use


To install the simple demo of the Custom TransferServerHostKey and TransferServerActiveHostKeys, type:

git clone
cd cfn-transfer-server-host-key-provider
aws cloudformation deploy 
    --capabilities CAPABILITY_NAMED_IAM 
    --stack-name cfn-transfer-server-host-key-provider-demo 
    --template-file file://cloudformation/demo.yaml 
    --parameter-overrides SecretProviderPresent=no

This assumes that the custom secret provider is not installed. To check the result, type:

$ SERVER_ID=$(aws cloudformation 
               --stack-name cfn-transfer-server-host-key-provider-demo 
               --query 'Stacks[0].Outputs[?OutputKey==<code>ServerId].OutputValue' 
               --output text)  

$ SERVER_REGION=$(aws configure get region)  
$ SERVER_HOST=$SERVER_ID.server.transfer.$

$ FINGERPRINT=$(aws cloudformation describe-stacks  
                --stack-name cfn-transfer-server-host-key-provider-demo 
                --query 'Stacks[0].Outputs[?OutputKey==Fingerprint].OutputValue'  
                --output text)  

$ echo "expect: $FINGERPRINT"
$ ssh-keyscan $SERVER_HOST 2>&1  | ssh-keygen -lf -


With these two custom resources, you can use AWS CloudFormation to manage the host keys of your AWS SFTP transfer servers.

Image by Gerd Altmann from Pixabay

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts