Antivirus for S3 buckets

Available in the AWS Marketplace
Home - FAQ - Setup Guide - Update Guide - Add-Ons

Are my files secure?

All files are scanned on EC2 instances (virtual machines) that run in your AWS account. All infrastructure that S3 VirusScan requires runs in your AWS account. Only the virus database is fetched from remote servers provided by ClamAV®. We don't have access to your data and infrastructure!

What's the maximum file size supported?

The default file size limit is 8 GiB. You can increase this to up to 512 GiB by increasing the VolumeSize parameter. Keep in mind that you need larger instance types to scan files that are in the GB range. We recommend m5.xlarge or m5a.xlarge instance types.

My SQS scan queue contains many messages and/or is growing steadily. How can I increase the throughput of the system?

By default, the AutoScalingMinSize and AutoScalingMaxSize parameters are set to 1. Therefore, you will only have one worker running to scan files. If you increase AutoScalingMaxSize, the solution will scale out if the queue grows and scales in if the queue is empty. The defaults are low to protect your AWS bill.

If the InstanceType parameter is set to t3.* or t3a.*, you should consider changing to m5.* or m5a.* before you scale out by increasing AutoScalingMaxSize.

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Increase the AutoScalingMaxSize parameter
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

How can I change the instance type?

By default, the InstanceType parameter is set to m5.large. In small environments or development environments, you can reduce costs by switching to the t3 or t3a family.

Keep in mind that a larger instance is not the only option to increase the throughput of the system. You can also increase the maximum number of instances scanning your files by increasing the AutoScalingMaxSize parameter!

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Change the InstanceType parameter
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

How can I receive an email for every infected file?

  1. Visit the Amazon SNS Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Search for the FindingsTopic and click on the found topic.
  5. Click on the Create Subscription button.

SNS E-Mail subscription

  1. Set Protocol to Email.
  2. Set Endpoint to your email address.
  3. Set Subscription filter policy to:
    {"status": ["infected", "no"]}
  4. Click on the Create subscription button to save.

You will receive an email (AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.

If the volume of emails is too high, consider: How can I receive an email if infected files are found?

How can I receive an email if infected files are found?

Sometimes, it is enough to be notified if infected files are found without sending an email for every infected file. Our Alarm Add-On helps you with the setup.

How can I keep infected files?

By default, infected files are deleted. You can keep and tag them as infected if you want.

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Set the DeleteInfectedFiles parameter to false
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Which version am I using?

To find out the running version of S3 VirusScan:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. Click on the Outputs tab
  6. Check the value next to the output key Version

What's my configuration?

To find out the configuration of S3 VirusScan:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. Click on the Parameters tab

Now, you can see the parameters and values that are used.

How can I edit configuration?

To find out the configuration of S3 VirusScan:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Now, you can change the configuration parameters.
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

It can take up to two minutes to deploy new configuration values!

How can I receive SNS messages for infected files only?

By default, the ReportCleanFiles parameter is set to true. If you subscribe to the findings SNS topic, you will receive messages for status: infected, clean, and no.

Option 1 (recommended):
In your SNS subscription, add a subscription filter policy only to receive messages where the attribute status is set to infected (you might be interested in no (scan was skipped, e.g., because the file was too big) as well).

{"status": ["infected", "no"]}

Option 2:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Change the ReportCleanFiles parameter to false
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Does the solution work in cross / Multi-Account setups?

Yes. If you have a multi-account setup, you might want to run the S3 VirusScan solution in a single AWS account (account a) while you can scan buckets that are created in accounts b and c.

We recommend running the S3 VirusScan solution in the same account as your S3 buckets to keep the configuration overhead to a minimum.

Add the following bucket policy statements to each S3 bucket in accounts b and c to allow S3 VirusScan from account a to access the buckets.

  • Replace ROLE_ARN with the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VirusScanRequired1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "VirusScanRequired2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouDeleteInfectedFiles",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:DeleteObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouTagFilesWithScanResult",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": [
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*",
      "Condition": {
        "ForAllValues:StringLike": {
          "s3:RequestObjectTagKeys": "s3-virusscan"
        }
      }
    }
  ]
}

One specialty needs to taken into account when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.

Known issues

RAR files are not supported and therefore not flagged as infected.

Need help? Send us an email