Antivirus for S3 buckets

Available in the AWS Marketplace
Home - FAQ - Setup Guide - Update Guide

FAQ

Receive SNS messages for infected files only

By default, the ReportCleanFiles parameter is set to true. If you subscribe to the findings SNS topic, you will receive messages for status: infected, clean, and no.

Option 1 (recommended):
In your SNS subscription, add a subscription filter policy only to receive messages where the attribute status is set to infected (you might be interested in no (scan was skipped, e.g., because the file was too big) as well).

{"status": ["infected", "no"]}

Option 2:

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. At the top right, click on Update
  5. In the next step, just click Next
  6. Change the ReportCleanFiles parameter to false
  7. Click Next
  8. In the next step, just click Next
  9. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

SQS scan queue contains many messages and/or is growing steadily

By default, the AutoScalingMinSize and AutoScalingMaxSize parameters are set to 1. Therefore, you will only have one worker running to scan files. If you increase AutoScalingMaxSize, the solution will scale out if the queue grows and scales in if the queue is empty. The defaults are low to protect your AWS bill.

  1. Visit the AWS CloudFormation Console
  2. Ensure that you are in the correct region
  3. Click on the S3 VirusScan stack (if you followed our docs the name is s3-virusscan)
  4. At the top right, click on Update
  5. In the next step, just click Next
  6. Increase the AutoScalingMaxSize parameter
  7. Click Next
  8. In the next step, just click Next
  9. At the bottom, check "I acknowledge that AWS CloudFormation might create IAM resources." and click Update Stack.

Cross / Multi-Account setups

If you have a multi-account setup, you might want to run the S3 VirusScan solution in a single AWS account (account a) while you can scan buckets that are created in accounts b and c.

We recommend running the S3 VirusScan solution in the same account as your S3 buckets to keep the configuration overhead to a minimum.

Add the following bucket policy statements to each S3 bucket in accounts b and c to allow S3 VirusScan from account a to access the buckets.

  • Replace ROLE_ARN with the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VirusScanRequired1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Sid": "VirusScanRequired2",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:GetObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouDeleteInfectedFiles",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:DeleteObject*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    },
    {
      "Sid": "VirusScanOnlyIfYouTagFilesWithScanResult",
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": [
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*",
      "Condition": {
        "ForAllValues:StringLike": {
          "s3:RequestObjectTagKeys": "s3-virusscan"
        }
      }
    }
  ]
}

One specialty needs to taken into account when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation s3-virusscan stack from account a.

Need help? Send us an email