In today's digital landscape, securely exchanging files across networks is critical, especially when dealing with external partners or customers. Yet, enabling public uploads through SFTP servers can open the door to malware risks—either through deliberate attacks or innocent mistakes.

To address this challenge, Amazon Web Services (AWS) offers a seamless, serverless solution combining AWS Transfer Family and Amazon GuardDuty. This article outlines a robust method to scan incoming files for malware, ensuring your systems remain uncompromised without deploying or managing EC2 instances.

Solution Overview

The integrated solution leverages AWS Transfer Family for secure SFTP uploads and Amazon GuardDuty Malware Protection to automatically scan incoming files. This workflow requires no compute instances and takes full advantage of managed services. It’s scalable, cost-effective, and continually updated—making it an ideal option for modern businesses.

Key AWS Services Used

  • AWS Transfer Family – Provides secure SFTP endpoints.
  • Amazon GuardDuty – Continuously scans files for malware.
  • Amazon S3 – Serves as the central storage layer for file lifecycle management.
  • AWS Step Functions – Orchestrates the scanning and notification process.
  • Amazon EventBridge – Triggers events upon scan completion.
  • AWS Lambda – Executes scanning logic and conditional file movement.
  • Amazon SNS – Sends success or error notifications to users.

Step-by-Step Workflow

Here’s a simplified breakdown of how the solution works:

  1. SFTP Upload
    A user uploads a file to an AWS Transfer Family SFTP server.
  2. Triggering Managed Workflow
    Once the upload is complete, the file is moved to an S3 Unscanned bucket, and a Managed Workflow is triggered to initiate the process.
  3. File Processing via Step Functions
    A Lambda function kicks off an AWS Step Functions state machine, orchestrating the entire malware scanning flow.
  4. Malware Scan Begins
    Another Lambda function transfers the file to a Processing S3 bucket, which is protected by GuardDuty’s Malware Protection for S3 feature. This triggers an automatic scan.
  5. GuardDuty Results via EventBridge
    After the scan, Amazon EventBridge captures the result and invokes a Lambda function, passing along the malware scan data.
  6. Conditional File Movement
  • If clean, the file is moved to a Clean S3 bucket.
  • If infected, it goes into Quarantine, and the user is notified via SNS Error Topic.
  • If the scan times out, a Cleanup Lambda is triggered to manage any stuck files.
  1. Partial Uploads Handling
    If the file wasn’t fully uploaded, AWS triggers a different error-handling workflow, invoking the Error Publisher Lambda which alerts subscribers of the failed transfer.

Built-in Safety Features

This solution includes several intelligent safeguards:

  • Timeouts: Ensures files that aren’t scanned in a timely manner are flagged.
  • Lifecycle Rules: Automatically deletes temporary files from the Processing bucket after 24 hours.
  • Real-Time Notifications: Users are instantly informed of success or failure.

These features eliminate the need for manual monitoring or maintenance, allowing your team to focus on strategic tasks rather than infrastructure upkeep.

Deployment Guide

Setting up this solution is straightforward with Terraform, an infrastructure-as-code tool. Follow these steps:

  1. Clone the GitHub Repository
git clone https://github.com/aws-samples/[repository-name]
  1. Update Configuration
    Open the locals.tf file and replace the placeholder values for bucket names, server names, and environment variables.
  2. Run Terraform Plan
terraform plan
  1. Apply Infrastructure
terraform apply

Enter yes when prompted to create resources like S3 buckets, Lambda functions, and workflows.

Clean-Up Instructions

To avoid unnecessary AWS charges, always remove the infrastructure when testing is complete:

terraform destroy

This command will delete all the resources provisioned—SFTP servers, S3 buckets, Lambda functions, Step Functions, etc.

Benefits of This Approach

Implementing this serverless malware scanning workflow provides several advantages:

  • No EC2 Maintenance: Eliminates the need to maintain custom malware-scanning servers.
  • Serverless & Scalable: Uses fully managed AWS services that scale on demand.
  • Always Up to Date: GuardDuty automatically updates malware definitions every 15 minutes.
  • Lower Costs: Pay only for what you use—ideal for unpredictable or intermittent workloads.
  • Developer Friendly: Easily extensible using Terraform and Lambda for custom workflows.

Real-World Use Cases

This solution is ideal for organisations in:

  • Healthcare: Scanning sensitive patient file transfers.
  • Legal Services: Securing contract and evidence document uploads.
  • Media & Publishing: Protecting shared creative assets from threats.
  • Finance: Scanning financial reports submitted by external partners.

Final Thoughts

By integrating AWS Transfer Family with GuardDuty, organisations can build a powerful, automated layer of defence against malware introduced through public file transfers. It simplifies security operations while ensuring compliance and reducing manual intervention.

For teams looking to scale securely and efficiently, adopting this serverless solution is a no-brainer.

Resources