Quarantine infected files Add-On
This add-on moves infected files into a quarantine bucket for further investigation.
The DeleteInfectedFiles parameter of the bucketAV stack must be set to false (defaults to true). Learn how to configure bucketAV.
Table of Contents
Setup
- Set the Stack name to
bucketav-quarantine. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed our docs, the name is
bucketav, ors3-virusscanfor older installations). - Set the QuarantineBucketName parameter to an existing S3 bucket where quarantined files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Quarantine bucket in different AWS Account
If you have a multi-account setup, you might run the bucketAV in AWS account a while your quarantine bucket is created in AWS account b.
Add the following bucket policy statements to your quarantine S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARNwith the QuarantineRoleArn output of the CloudFormationbucketav-quarantinestack from account a. - Replace
BUCKET_NAMEwith the name of the quarantine S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "bucketAVRequired1",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}, {
"Sid": "bucketAVRequired2",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:PutObject*",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}]
}
Source bucket in different AWS Account
If you have a multi-account setup, you might run the bucketAV in AWS account a while the source bucket is created in AWS account b.
Add the following bucket policy statements to your source S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARNwith the QuarantineRoleArn output of the CloudFormationbucketav-quarantinestack from account a. - Replace
BUCKET_NAMEwith the name of the source S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": [
"s3:GetObject*",
"s3:DeleteObject*"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter
KMSKeyRestrictionto control access.
Update
- To update this add-on to version v2.4.0, go to the AWS CloudFormation Management Console .
- Double-check the region at the top right.
- Search for
bucketav-quarantine(ors3-virusscan-quarantinefor older installations), otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.4.0/bucketav-add-on-quarantine.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the infected files into the quarantine S3 bucket.
- CloudWatch Alarms to monitor the used AWS services.
Limitations
- If you set
QuarantineUnscannableFilestotrue, only files up to 5 GB are moved.