By using AWS re:Post, you agree to the Terms of Use

Issue with receiving message for AWS Transfer Family AS2


When setting up the Transfer Family for AS2, I'm running into an error with receiving a message. After using this guide ( to create the certificates, I tried to set up the AS2 Transfer Family AS2 to receive messages. The VPC is created and the endpoint can be reached. However, when actually sending the message, a 400 error Bad Request is returned with no other information. On the console, there's no record of data going in or out. Is there a way to view more information?

Also, just to confirm, when the guide says to send public keys, that's the signing-cert.pem/encrypting-cert.pem, correct? I had that set up in the partner and there's no error but I just want to make sure that it's not an authentication issue.

By the way, using this guide (, when using the link format in Step 7, I'm not able to connect. The endpoint connection is actually The link is correct in the server configuration but the guide is incorrect.

1 Answer
Accepted Answer


A 400 error could be returned from the endpoint if a valid AS2 message is not received. It is possible that the AS2-From and AS2-To headers do not match the values for an agreement associated with the server. The AS2-From header should match the AS2 ID in the partner profile, whereas the AS2-To header should match the AS2 ID in the local profile. Could you confirm if this is not the case?

Also, do check that the agreement has an access role with permission to read and write from the S3 bucket and that the role’s trust policy allows the transfer service to assume the role as described here [1].

Further, if the server has a logging role configured, check whether the server's CloudWatch Logs contain any AS2 message logs. If the logs do not contain the reason for the failure, do raise a support case providing the AS2 Message ID and VPC Endpoint ID so that the Support team can check for the exact reason why the message is not being accepted by the endpoint.

Also, to your question, as you correctly pointed out, signing-cert.pem and encryption-cert.pem from the example are both the public certificates which are shared with the trading partner. signing-key.pem and encryption-key.pem should not be shared with the trading partner.



-- Sagar

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions