AWS Transfer Family

Ensure the data that is moved into Amazon S3 via AWS Transfer Family is free of ransomware, viruses, trojans and other payloads by scanning it inline with Antivirus for Amazon S3

Deployment Options

Deploy AWS Transfer Family and antivirus scanning at the same time in 5-15 minutes via an AWS CloudFormation Template. If you are new to Transfer Family, everything you need to be up and running will be deployed for you. If you are already using Transfer Family, it is easy to select the S3 buckets linked with your Server to deploy antivirus scanning.

If you are currently subscribed to the Antivirus for Amazon S3 product and have a Transfer Family Server deployed, all you need to do is protect the S3 bucket linked to your Transfer Family Server to ensure its contents are clean.

Step 1 - Create Stack and Specify the Parameters

First, ensure that you are deploying the software in the desired region.

Next, we need to review and configure the CloudFormation template:

  1. Set your Stack name

  2. Set your Admin User Name

    • This will be the initial user created for the console management website, with admin-level permissions. If modifying the default value, ensure the name entered is three characters or greater.

  3. Admin User Email Address

    • Login credentials for the Console management account will be sent to this address.

  4. Virtual Private Cloud (VPC) ID

    • The public-facing console will be deployed within this VPC.

  5. Two Subnets

    • Choose two subnets that the console can be placed within, and ensure they both allow for outbound internet traffic.

    • The subnets you choose for A and B must either be able to offer a public IP or be on a network you can access. Without that, the console will run, but not be reachable. This could simply be a public subnet reachable through an Internet Gateway. Or it could be a private subnet that is an extension of your corporate network you access either from your corporate network or through a VPN connection. Or these subnets maybe private subnets fronted by a public Load Balancer. Learn more about this option in the Advanced Deployment Considerations.

  6. Console Security Group CIDR Block

    • Enter an IP address range that can access the console.

    • Specify your network access or set to "" to access the console from anywhere.

    • is wide open to the world. The application is still protected by SSL, a username and a password, but you may still choose to control this access. This could be your corporate network range or the /32 IP address your specific system is currently assigned. Google "what's my ip" and the first thing returned is what your current IP address is. Note: If your IP address changes, you may have to manually change the AWS Security Group value to represent the new IP

  7. Agent Scanning Engine

    • Choose the engine that should be used to scan files.

    • Please refer to our Marketplace listing for pricing differences between the different engines.

  8. Multi-Engine Scanning Mode

    • Choose how many engines you want to use to scan your files:

      • Disabled will use a single engine.

      • All will scan every file with both engines.

      • LargeFiles will scan files larger than 2GB using the Sophos engine.

  9. Agent Disk Size

    • Choose a larger disk size (up to 200 GB) to enable scanning larger files.

    • Note that this only applies when using the Sophos scanning engine.

  10. Enable Large File Scanning

    • If "Yes" is selected, an EC2 instance will be launched if a file is found to be too large to be scanned by the normal agent.

  11. Extra Large File Disk Size

    • Choose a larger disk size (between 20 - 16,300 GB) to enable scanning larger files, up to 5 GB fewer than the total disk size.

    • Note that this only applies when using the Sophos scanning engine with EC2 large file scanning enabled.

  12. Buckets to Protect

    • Enter any pre-existing buckets that you would like to have event-based protection enabled on when the console is launched.

    • Bucket names must be separated by commas (e.g. bucket1,bucket2,bucket3)

    • Note that this only works for buckets in the same region as this deployment.

  13. Existing Transfer Family Server

    • If you do not have an existing Transfer Family Server, or would like a new one created, set this option to ‘No’, and a Transfer Family Server will automatically be deployed for you.

  14. Quick Start Disable Auto-Protect

    • When set to 'No', the bucket which is created to store files uploaded to the Transfer Server is automatically protected by the console.

    • Note that this only applies when you have chosen ‘No’ for the Existing Transfer Family Server setting

Step 2 - Review Stack and Acknowledge

  1. Review all settings for accuracy

  2. Check the following items at bottom of the CloudFormation template:

    • I acknowledge that AWS CloudFormation might create IAM resources with custom names.

    • I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND

  3. Click Create Stack at the bottom of the screen.

Step 3 - Console Access

Once the stack creation completes, click the Output tab. The top row in the table will have the URL for your Management Console. It will be in the format of https://<accountID-appID>

You will also receive an email to the address you entered in the Admin User Email field while configuring your CloudFormation Template.

It may take a few minutes for DNS to propagate the URL of your management console. If you are unable to load the URL provided in the email/CloudFormation Outputs then wait a few minutes. If it continues to be an issue, check the console access troubleshooting to see if it is another issue or Contact Us.

If you chose to use a load balancer, the first field will be called LBWebAddress instead of ConsoleWebAddress.

Step 4 - Ensure Connectivity to the Transfer Family Server (Optional)

If you did not have a Transfer Family Server created as part of your deployment you can skip this step.

Before you can connect to the Transfer Family Server, you must first login to the console. Follow these steps if you skipped Step 4.

  1. Login to the email address previously added to the Admin User Email field within the CloudFormation Template during deployment.

  2. Locate the Antivirus for Amazon S3 - Console Account Information email.

  3. Open the console link and login using the provided temporary credentials.

  4. Upon login you will be prompted to update your password.

The username and password entered to connect to the console is the same username and password that will be used to connect to the Transfer Family Server.

  1. Login to the AWS Transfer Family console and review the pre-configured settings of the Server created on your behalf.

    • You can obtain the Transfer Family Server Id by reviewing the Outputs from the CloudFormation Template.

  2. We recommend that you connect to your server and upload a test file.

    • Please note that:

      1. The server's protocol will be SFTP (SSH File Transfer Protocol) - file transfer over Secure Shell.

      2. The server will have a public endpoint.

      3. A Lambda function is created during the deployment and will validate authentication for secure file transfers.

      4. Files will be uploaded to S3 directly and will trigger an event-based scan by Antivirus for Managed File Transfers.

Configure the Antivirus for Amazon S3 Console

You have completed creating the stack for Antivirus for Amazon S3 and Transfer Family.

Next, go to the How to Configure section to start setting up the anti-malware detection.

Last updated