Antivirus for Managed File Transfers on AWS

Partner Solution Deployment Guide

QS

July 2023
David Dreyer, Aaron Gettings, and Sarah Heiermann-Walker, Cloud Storage Security
Russ Boyer, AWS Transfer Family team

Refer to the GitHub repository to view source files, report bugs, submit feature ideas, and post feedback about this Partner Solution. To comment on the documentation, refer to Feedback.

This Partner Solution was created by Cloud Storage Security in collaboration with Amazon Web Services (AWS). Partner Solutions are automated reference deployments that help people deploy popular technologies on AWS according to AWS best practices. If you’re unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Overview

This guide provides instructions for deploying Antivirus for Managed File Transfers in the AWS Cloud. If you are unfamiliar with AWS Partner Solutions, refer to the AWS Partner Solution General Information Guide.

Costs and licenses

The Partner Solution requires a subscription to Antivirus for Managed File Transfers - PAYG with 30 DAY FREE TRIAL on AWS Marketplace. Antivirus for Managed File Transfers is offered on a pay-as-you-go model, with pricing based on the amount of data scanned.

Contact Cloud Storage Security to discuss personalized pricing options, including prepaid discounts and private offers.

In addition to Cloud Storage Security costs incurred by scanning data, you will be billed for any AWS resources the solution deploys. For more information, refer to the AWS Partner Solution General Information Guide.

Architecture

Deploying this Partner Solution with default parameters builds the following Antivirus for Managed File Transfers environment in the AWS Cloud.

Architecture
Figure 1. Partner Solution architecture for Antivirus for Managed File Transfers on AWS

As shown in Figure 1, this Partner Solution sets up the following:

  • AWS Fargate to run an Amazon Elastic Cluster Service (Amazon ECS) cluster with the Fargate launch type.

  • An Amazon ECS cluster containing the following tasks:

    • A Cloud Storage Security web application console service.

    • A highly scalable event agent service to process newly created objects.

    • Highly scalable tasks to run scheduled and on-demand scans.

    • A highly scalable API agent endpoint service for API-driven scans.

  • (Optional) AWS Transfer Family for a file transfer service to Amazon Simple Storage Service (Amazon S3).

  • (Optional) An Amazon Simple Storage Service (Amazon S3) bucket for transferred files.

  • Amazon Simple Notification Service to capture and post create-object events to an Amazon Simple Queue Service (Amazon SQS) event queue.

  • An SQS event queue to manage scanning processes.

  • Amazon Cognito for a user pool to provision and manage Cloud Storage Security web application users.

  • Amazon DynamoDB for a database to store scan and deployment data.

  • Amazon CloudWatch to capture and log event details.

Deployment options

This Partner Solution provides a single deployment option to provision Antivirus for Managed File Transfers into an existing VPC. The deployment uses a AWS CloudFormation template that contains configuration parameters that you can customize.

Predeployment steps

You must configure the following before deployment:

  • A VPC with two subnets. Ensure that the subnets allow outbound internet traffic. You must select a VPC and two subnets during deployment.

  • A console security group CIDR block. You must select a CIDR block during deployment.

  • An administrator email account to receive Cloud Storage Security login credentials. You must enter an administrator email address during deployment.

Subscribe to Antivirus for Managed File Transfers

  1. Sign in to your AWS account.

  2. Navigate to Antivirus for Managed File Transfers - PAYG with 30 DAY FREE TRIAL on AWS Marketplace.

  3. Choose Continue to Subscribe.

  4. Review the pricing information and choose Accept Terms.

  5. Choose Continue to Configuration.

  6. On the Configure this software page, for Software version, choose the most recent version.

  7. Choose Continue to Launch.

  8. On the Launch this software page, under Deployment template, choose Click to Launch Antivirus for Managed File Transfers Deployment.

  9. The AWS CloudFormation console opens with a prepopulated template. Continue with the instructions in the next section, Deployment steps.

Deployment steps

  1. Choose the correct AWS Region, and then choose Next.

  2. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  3. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. When you finish reviewing and customizing the parameters, choose Next.

    Unless you’re customizing the Partner Solution templates or are instructed otherwise in this guide’s Predeployment section, don’t change the default settings for the following parameters: QSS3BucketName, QSS3BucketRegion, and QSS3KeyPrefix. Changing the values of these parameters will modify code references that point to the Amazon Simple Storage Service (Amazon S3) bucket name and key prefix. For more information, refer to the AWS Partner Solutions Contributor’s Guide.

  4. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you finish, choose Next.

  5. On the Review page, review and confirm the template settings. Under Capabilities, select all of the check boxes to acknowledge that the template creates AWS Identity and Access Management (IAM) resources that might require the ability to automatically expand macros.

  6. Choose Create stack. The stack takes about 10-15 minutes to deploy.

  7. Monitor the stack’s status, and when the status is CREATE_COMPLETE, the Antivirus for Managed File Transfers deployment is ready.

  8. To view the created resources, choose the Outputs tab.

Postdeployment steps

Antivirus for Managed File Transfers console

After deployment, check the administrator email account for a message from Antivirus for Amazon S3—Console Account Information. It contains a link to the Antivirus for Managed File Transfers console and temporary login credentials.

Choose the link to the Antivirus for Managed File Transfers console in the email message and log in using the temporary credentials. After logging in, change your password as prompted and make changes to your console configuration as necessary.

For more information on getting started with Antivirus for Managed File Transfers, refer to How to Configure.

Transfer Family server

If you selected to deploy a Transfer Family server during deployment, sign in to the AWS Management Console and open the AWS Transfer Family console. Review the default settings for the server deployed by the solution. Note the following:

  • The server uses SFTP (Secure Shell File Transfer Protocol).

  • The server has a public endpoint.

  • The deployment creates a Lambda function to validate authentication for secure file transfers.

  • The solution uploads files directly to S3 directly and invokes an event-based scan by Antivirus for Managed File Transfers.

  • To connect to the server, use the same username and password configured in the Antivirus for Managed File Transfers console.

Troubleshooting

For troubleshooting common Partner Solution issues, refer to the AWS Partner Solution General Information Guide and Troubleshooting CloudFormation.

For troubleshooting Antivirus for Managed File Transfers, refer to Cloud Storage Security Help Docs.

Customer responsibility

After you deploy a Partner Solution, confirm that your resources and services are updated and configured—including any required patches—to meet your security and other needs. For more information, refer to the Shared Responsibility Model.

Feedback

To submit feature ideas and report bugs, use the Issues section of the GitHub repository for this Partner Solution. To submit code, refer to the Partner Solution Contributor’s Guide. To submit feedback on this deployment guide, use the following GitHub links:

Notices

This document is provided for informational purposes only. It represents current AWS product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at https://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "as is" basis, without warranties or conditions of any kind, either expressed or implied. Refer to the License for specific language governing permissions and limitations.