Antivirus for S3 buckets

Available in the AWS Marketplace
Home - FAQ - Setup Guide - Update Guide - Add-Ons

Are my files secure?

All files are scanned on EC2 instances (virtual machines) that run in your AWS account. All infrastructure that VirusScan for Amazon S3 requires runs in your AWS account. Only the virus database is fetched from remote servers provided by ClamAV®. We don't have access to your data and infrastructure!

What's the maximum file size supported?

The default file size limit is 8 GiB. You can increase this to up to 512 GiB by increasing the VolumeSize parameter. Keep in mind that you need larger instance types to scan files that are in the GB range. We recommend m5.xlarge or m5a.xlarge instance types.

My SQS scan queue contains many messages and/or is growing steadily. How can I increase the throughput of the system?

By default, the AutoScalingMinSize and AutoScalingMaxSize parameters are set to 1. Therefore, you will only have one worker running to scan files. If you increase AutoScalingMaxSize, the solution will scale out if the queue grows and scales in if the queue is empty. The defaults are low to protect your AWS bill.

If the InstanceType parameter is set to t3.* or t3a.*, you should consider changing to m5.* or m5a.* before you scale out by increasing AutoScalingMaxSize.

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Increase the AutoScalingMaxSize parameter
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

I already created an S3 Event Notification, how can I still use S3 VirusScan?

Requires version >= 1.4.

Each bucket can only have one S3 Event notification to inform about newly created files. If multiple systems are interested in this information, you need to follow a fan-out approach. Instead of configuring S3 to send events to SQS, you can create an SNS topic and configure S3 to publish events to the SNS topic. You can add as many subscribers to this topic as you wish. Each subscriber will get a copy of the events published from S3.

If you already have your SNS topic created, you can skip this step. Otherwise, create an SNS topic in the same AWS account and region as your S3 bucket.

  1. Visit the Amazon SNS Console
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Click on Create topic.
  5. Set a Name.
  6. Open the Access policy box and click on Advanced and enter the following policy:
  • Replace REGION with AWS Region (e.g., us-east-1; get the value from the top right).
  • Replace ACCOUNT_ID with your AWS account id.
  • Replace TOPIC_NAME with the name of the topic that you set before.

              {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "SNS:Publish",
      "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:TOPIC_NAME",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "ACCOUNT_ID"
        }
      }
    }
  ]
}

  1. Click on Create topic to save.
  2. In the AWS S3 Management Console, click on the bucket you want to connect to S3 VirusScan. Make sure the bucket's region matches the S3 VirusScan region.
  3. Click on the Properties tab.
  4. Scroll down to the Advanced Settings and click on Events.
  5. Click on Add notification.
  6. Set a Name (e.g., s3-virusscan), select the All objects create events, and set Send to SNS Topic. Select the SNS topic you created before. Click on Save.

To connect S3 VirusScan to your SNS topic:

  1. Visit the Amazon SNS Console
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Click on the SNS topic.
  5. Click on Create subscription.
  6. Set the Protocol to Amazon SQS.
  7. Set the Endpoint to:
    1. Visit the AWS CloudFormation Console
    2. Ensure that you are in the correct region.
    3. Navigate to Stacks.
    4. Click on the S3 VirusScan stack (if you followed our docs, the name is s3-virusscan)
    5. Click on the Outputs tab
    6. Use the value next to the output key ScanQueueArn
  8. Click on Create subscription to save.

How can I change the instance type?

By default, the InstanceType parameter is set to m5.large. In small environments or development environments, you can reduce costs by switching to the t3 or t3a family.

Keep in mind that a larger instance is not the only option to increase the system's throughput. You can also increase the maximum number of instances scanning your files by increasing the AutoScalingMaxSize parameter!

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Change the InstanceType parameter
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

How can I receive an email for every infected file?

  1. Visit the Amazon SNS Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Topics.
  4. Search for the FindingsTopic and click on the found topic.
  5. Click on the Create Subscription button.

SNS E-Mail subscription

  1. Set Protocol to Email.
  2. Set Endpoint to your email address.
  3. Set Subscription filter policy to:
    {"status": ["infected", "no"]}
  4. Click on the Create subscription button to save.

You will receive an email (AWS Notification - Subscription Confirmation) with a confirmation link that you have to visit.

If the volume of emails is too high, consider: How can I receive an email if infected files are found?

How can I receive an email if infected files are found?

Sometimes, it is enough to be notified if infected files are found without sending an email for every infected file. Our Alarm Add-On helps you with the setup.

How can I quarantine infected files?

You can move infected files into a quarantine bucket with our Quarantine infected files Add-On.

How can I scan files before users can download them?

The easiest way to ensure that only clean files can be download by users is to use two buckets. One for uploads and one for downloads. Our Move Clean Files Add-On moves files once they are scanned.

Move clean files

The other, more challenging approach is to only allow downloads from the public if the file is tagged with s3-virusscan=clean using a bucket policy.

  • Replace BUCKET_NAME with the name of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VirusScanAllowClean",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/s3-virusscan": "clean"
        }
      }
    }
  ]
}

How can I keep infected files?

By default, infected files are deleted. You can keep and tag them as infected if you want.

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Set the DeleteInfectedFiles parameter to false
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Which version am I using?

To find out the running version of VirusScan for Amazon S3:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. Click on the Outputs tab
  6. Check the value next to the output key Version

What's my configuration?

To find out the configuration of VirusScan for Amazon S3:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. Click on the Parameters tab

Now, you can see the parameters and values that are used.

How can I edit configuration?

To find out the configuration of VirusScan for Amazon S3:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Now, you can change the configuration parameters.
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

It can take up to two minutes to deploy new configuration values!

How can I receive SNS messages for infected files only?

By default, the ReportCleanFiles parameter is set to true. If you subscribe to the findings SNS topic, you will receive messages for status: infected, clean, and no.

Option 1 (recommended):
In your SNS subscription, add a subscription filter policy only to receive messages where the attribute status is set to infected (you might be interested in no (scan was skipped, e.g., because the file was too big) as well).

{"status": ["infected", "no"]}

Option 2:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the VirusScan for Amazon S3 stack (if you followed our docs, the name is s3-virusscan)
  5. At the top right, click on Update
  6. In the next step, just click Next
  7. Change the ReportCleanFiles parameter to false
  8. Click Next
  9. In the next step, just click Next
  10. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Does the solution work in cross / Multi-Account setups?

Yes. If you have a multi-account setup, you might want to run the VirusScan for Amazon S3 solution in a single AWS account (account a) while you can scan buckets created in accounts b and c.

We recommend running the VirusScan for Amazon S3 solution in the same account as your S3 buckets to keep the configuration overhead to a minimum.

Whitelist accounts b and c by modifying the AWSAccountRestriction parameter in your s3-virusscan stack in account a.
Add the following bucket policy statements to each S3 bucket in accounts b and c to allow S3 VirusScan from account a to access the buckets.

  • Replace ROLE_ARN with the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VirusScanRequired1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "VirusScanRequired2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouDeleteInfectedFiles",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:DeleteObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouTagFilesWithScanResult",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": [
        "s3:GetObjectTagging",
        "s3:GetObjectVersionTagging",
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    }
  ]
}

One specialty needs to taken into account when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.

How can I be notified if a new release becomes available?

You can subscribe to our Atom release feed.

What's the SNS message format for findings?

Scan results are publish to the FindingsTopic. The topic name is prefixed by the CloudFormation stack name you defined during setup (if you followed our docs, the prefix is s3-virusscan).

The following message attributes are part of every message:

  • bucket: The bucket name (string)
  • key: The object key (string)
  • version: The object version if versioning is turned on (string, optional)
  • status: The scan result (string: clean, infected, no)
  • action: The action that was taken (string: delete, tag, no)

Known issues

RAR files are not supported and not flagged as infected.

Need help? Send us an email