Secure SFTP for Financial Applications in Life Sciences: PTP’s AWS Transfer Family Solution

Illustration of Goat working on servers leading data to the cloud and to a proved treatment

By deploying AWS Transfer Family with Secrets Manager, Lambda, and enhanced logging, this solution simplified SFTP user management for financial applications, enforced stringent security controls, and enabled seamless compliance auditing.

Challenges
Solutions
Deployment
Conclusion

Executive Summary

PTP is a leading IT services company specializing in managed services and cloud solutions. As a recognized AWS Partner, PTP leverages Amazon Web Services' robust cloud infrastructure to deliver high-performance, scalable, and secure solutions tailored to meet the diverse needs of businesses. PTP provides comprehensive cloud strategies, solutions, and management services that empower businesses to achieve operational excellence.

In this case study, we’ll explore how PTP implemented a secure, automated, and highly available Managed File Transfer (MFT) solution for a customer managing financial data across multiple applications. The customer required stringent security measures, seamless transfer mechanisms, and automated credential management to ensure compliance and minimize IT overhead.

PTP implemented AWS Transfer Family, integrating AWS Secrets Manager for user authentication and credential management with a custom Lambda-based password rotation function. This approach enforced password complexity, rotation compliance, and automation while providing robust endpoint security, granular user access control, encryption, and detailed audit capabilities. By eliminating manual intervention and enhancing compliance, the solution not only addressed security concerns but also simplified access management and offered seamless scalability to adapt to the customer’s growing needs.

Problem Statement

The customer, a life sciences organization operating in a highly regulated GxP environment, required a secure and auditable solution for transferring financial data across multiple vendor applications. Key challenges included:

  • Compliance: Ensuring adherence to GxP standards for secure file transfers, user authentication processes and auditability.
  • Security Risks: Preventing unauthorized access to sensitive financial data while implementing robust password and endpoint protection mechanisms.
  • User Management Complexity: Providing granular access control for multiple named users from different vendors, each requiring isolation and strict permissions.
  • Operational Overheads: Addressing manual credential rotation and password compliance management that consumed IT resources.
  • Scalability: Accommodating increasing data volumes and growing user bases with a scalable solution.

These challenges necessitated a secure, automated, and auditable Managed File Transfer (MFT) system designed for high availability and operational efficiency.

Solution Overview

The solution implemented for the Biotherapeutics company included the following key components:

Password Management with AWS Secrets Manager

  • Passwords for AWS Transfer Family users are stored in AWS Secrets Manager in the format aws/transfer/server-id/username.
  • A custom Lambda function integrated with API Gateway retrieves these secrets during authentication, ensuring secure, centralized password management.
  • The Lambda function enforces robust password policies, such as:
    • 20-character minimum length with special characters.
    • Rotation to prevent reuse of the last 10 passwords.
    • Automatic email notifications to users upon password rotation.

Serverless Deployment with AWS SAM CLI

  • The base of the solution is deployed using AWS Serverless Application Model (SAM) CLI, following Infrastructure-as-Code (IaC) best practices.
  • Parameters like network configurations, region-specific configurations, and password policies were customized during deployment for optimized integration into the client’s infrastructure.

Custom Authentication via API Gateway and Lambda

  • AWS Transfer Family relies on a custom authentication provider using API Gateway and Lambda.
  • Lambda validates user credentials against Secrets Manager and retrieves IAM roles, logical directory mappings, and any IP restrictions.
  • This design supports dynamic access control and flexible protocol options (SFTP, FTPS, FTP).

CloudWatch Logging and Monitoring

  • CloudWatch is configured for comprehensive logging and monitoring of the AWS Transfer Family and API Gateway.
  • Alerts notify the team about suspicious activity or failures, ensuring high availability and security compliance.

Compliance and Security

  • Source IP address checks are enforced through the custom authentication Lambda.
  • IAM roles and policies restrict access to only necessary S3 buckets and paths.
  • All data transfers were encrypted in transit using SFTP protocols, and data at rest in S3 was encrypted with SSE-S3.
AWS SFTP architecture diagram for secure file transfer in ReCodeTx biotech cloud environment

Technical Deployment

Password Management with AWS Secrets Manager

  • Centralized Credential Storage: User credentials are stored in AWS Secrets Manager in the format aws/transfer/server-id/username, ensuring centralized and secure password management.
  • Custom Password Policies and Rotation: A custom Lambda function is integrated to enforce robust password policies:
    • Minimum 20-character passwords with special characters.
    • Prevention of reuse of the last 10 passwords.
    • Automatic password rotation and notification via email to the respective users.
  • Automated Rotation: Passwords are rotated periodically using a second Lambda function triggered by Secrets Manager, ensuring compliance with security standards.

Authentication via API Gateway and Lambda

  • Authentication Flow: AWS Transfer Family relies on a custom authentication provider deployed using API Gateway and a Lambda function.
  • Dynamic Access Enforcement: During authentication:
    • API Gateway triggers Lambda to validate user credentials stored in Secrets Manager.
    • Lambda retrieves the associated IAM roles, logical directory mappings, and source IP restrictions dynamically.
  • Granular Access Control: IAM roles dynamically restrict user access to designated S3 buckets and logical directories, minimizing the risk of unauthorized access.

Serverless Deployment with AWS SAM CLI

The base infrastructure was deployed using AWS Serverless Application Model (SAM) CLI, following Infrastructure-as-Code (IaC) best practices.

Deployment package from AWS blog post was customized to include:

  • Network configurations (VPC, subnets, security groups).
  • Region-specific optimizations for the client’s environment.
  • Additional Lambda function for password rotation and notification.

Monitoring and Logging with CloudWatch

  • Activity Logging: CloudWatch Logs capture all authentication and data transfer activities across AWS Transfer Family, API Gateway, and Lambda.
  • Alerting: Custom metrics and alarms are configured to notify the team of suspicious activities or failures.
  • Audit Reporting: Custom reports are generated using data from Secrets Manager and CloudWatch Logs for auditing purposes.
  • Insights: These reports track user access patterns, password changes, and failed login attempts.

Compliance and Security Enhancements

  • End-to-End Encryption: Data in transit is encrypted using SFTP/FTPS, and data at rest in S3 is encrypted using SSE-S3.
  • Source IP Restriction: Lambda enforces IP address restrictions for enhanced security.
  • Granular Policies: IAM roles and policies limit users to specific data directories, ensuring they only access their authorized content.

Conclusion

This solution has significantly streamlined the management of approximately 50 external SFTP users in a regulated environment, ensuring robust security controls, seamless automation, and comprehensive logging capabilities. By leveraging AWS Transfer Family with Secrets Manager, Lambda, and supporting services, the solution achieved the following key outcomes:

Enhanced Security

  • Password policies, automated rotation, and prevention of reuse ensure compliance with stringent security standards.
  • Granular IAM-based access controls restrict users to only their designated data, reducing the risk of unauthorized access.

Operational Efficiency

  • Automation of user credential rotation and direct password delivery minimizes IT team involvement.
  • Logging and reporting enhancements simplify the monitoring of user activity, making day-to-day management more efficient.

Streamlined Compliance Audits

  • Centralized logging through CloudWatch and custom reports from Secrets Manager provide auditors with clear, actionable insights.
  • The detailed tracking of user activities and access patterns ensures alignment with regulatory requirements, making audits smoother and faster.

This deployment not only meets current operational and security requirements but also positions the system for scalable growth. With automated processes, centralized management, and robust security, the customer is now equipped to handle increasing data transfer demands and evolving compliance needs with confidence.

Isometric graph icon representing secure AWS Transfer Family architecture for life sciences

Simplify credential management and secure data flows with AWS Transfer Family

Learn how PTP helps life sciences teams manage SFTP users, rotate credentials, and stay audit-ready in regulated environments.

Schedule a call

Streamline SFTP Compliance and Credential Automation

Automate secure file transfers, credential rotation, and user access management with AWS Transfer Family—purpose-built for life sciences compliance.

Schedule your free consultation today.

Homepage Contact Us