Looking for ideas, How can I create a secure SFTP server with scanning?

Question

Suppose I want to make a safe, easy, and accessible way to transfer files into a VPC. Ideally a user just goes to a site in a browser and uploads the file, then can log into the VPC's network and download it.

But there's a few gotchas:

- All uploaded files must be scanned for viruses/malware (e.x. ClamAV Lambda checks the files). Infected files must be quarantined/inaccessible.

- Users need to be able to authenticate with an Identity provider like Okta.

- Users should only be able to see files that they have permissions to.

I wanted to use AWS managed SFTP (such as https://github.com/awslabs/web-client-for-aws-transfer-family/tree/open-source), but I can't figure out how I would implement scanning into the pipeline. I could instead use S3 buckets directly with some application interface, but that would take a lot of heavy lifting on my end to build said application (unless there's already something for this).

Any suggestions?

Answer

I suggest the [workflow](https://docs.aws.amazon.com/transfer/latest/userguide/transfer-workflows.html) feature of AWS Transfer may help meet your requirements to add a scanning lambda and control the user permissions. [This](https://aws.amazon.com/blogs/architecture/building-a-cloud-native-file-transfer-platform-using-aws-transfer-family-workflows/) blog post is a good guide for some of the capabilities. There was an [enhancement](https://aws.amazon.com/about-aws/whats-new/2022/02/aws-transfer-family-enhancements-workflows/) to workflows announced yesterday.

I have also worked with customers with very complex requirements where we used step functions

Looking for ideas, How can I create a secure SFTP server with scanning?

Contenido relevante