Antivirus for S3 buckets

Available in the AWS Marketplace
Home - FAQ - Setup Guide - Update Guide

FAQ

Are my files secure?

All files are scanned on EC2 instances (virtual machines) that run in your AWS account. All infrastructure that S3 VirusScan requires runs in your AWS account. Only the virus database is fetched from remote servers provided by ClamAV®. We don't have access to your data and infrastructure!

My SQS scan queue contains many messages and/or is growing steadily. How can I increase the throughput of the system?

By default, the AutoScalingMinSize and AutoScalingMaxSize parameters are set to 1. Therefore, you will only have one worker running to scan files. If you increase AutoScalingMaxSize, the solution will scale out if the queue grows and scales in if the queue is empty. The defaults are low to protect your AWS bill.

If the InstanceType parameter is set to t3.* or t3a.*, you should consider chaning to m5.* or m5a.* before you scale out by increasing AutoScalingMaxSize.

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. At the top right, click on Update
  5. In the next step, just click Next
  6. Increase the AutoScalingMaxSize parameter
  7. Click Next
  8. In the next step, just click Next
  9. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

How can I change the instance type?

By default, the InstanceType parameter is set to m5.large. In small environments or development environments, you can reduce costs by switching to the t3 or t3a family.

Keep in mind that a larger instance is not the only option to increase the throughput of the system. You can also increase the maximum number of instances scanning your files by increasing the AutoScalingMaxSize parameter!

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. At the top right, click on Update
  5. In the next step, just click Next
  6. Change the InstanceType parameter
  7. Click Next
  8. In the next step, just click Next
  9. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Which version am I using?

To find out the running version of S3 VirusScan:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. Click on the Outputs tab
  5. Check the value next to the output key Version

How can I receive SNS messages for infected files only?

By default, the ReportCleanFiles parameter is set to true. If you subscribe to the findings SNS topic, you will receive messages for status: infected, clean, and no.

Option 1 (recommended):
In your SNS subscription, add a subscription filter policy only to receive messages where the attribute status is set to infected (you might be interested in no (scan was skipped, e.g., because the file was too big) as well).

{"status": ["infected", "no"]}

Option 2:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. At the top right, click on Update
  5. In the next step, just click Next
  6. Change the ReportCleanFiles parameter to false
  7. Click Next
  8. In the next step, just click Next
  9. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Does the solution work in cross / Multi-Account setups?

Yes. If you have a multi-account setup, you might want to run the S3 VirusScan solution in a single AWS account (account a) while you can scan buckets that are created in accounts b and c.

We recommend running the S3 VirusScan solution in the same account as your S3 buckets to keep the configuration overhead to a minimum.

Add the following bucket policy statements to each S3 bucket in accounts b and c to allow S3 VirusScan from account a to access the buckets.

  • Replace ROLE_ARN with the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VirusScanRequired1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "VirusScanRequired2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouDeleteInfectedFiles",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:DeleteObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouTagFilesWithScanResult",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": [
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*",
      "Condition": {
        "ForAllValues:StringLike": {
          "s3:RequestObjectTagKeys": "s3-virusscan"
        }
      }
    }
  ]
}

One specialty needs to taken into account when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.

Need help? Send us an email