What's new? 2025-04 - ISO 27001 - Run Lambda in VPC

We are shipping new versions of all bucketAV product variants as well as for almost all the add-ons this month. We highly encourage you to follow our update guide to roll out the latest versions.

ISO 27001 certification

We monitor and improve our security posture continuously. We are thrilled to announce that we have achieved ISO 27001 certification, proving that we have implemented a robust information security management system (ISMS).

• Check for and fix vulnerabilities in the software artifacts, that we ship to our customers.
• Monitor the security posture of our infrastructure and fix vulnerabilities in a timely manner.
• Implement a security incident response process and train to handle security incidents.
• Review who has access to our infrastructure and ensure that access is granted only to those who need it regularly.
• Ensure endpoint security on all devices used by our employees and contractors.

For more details, please visit our trust center.

Outbound port 80 no longer required

Before, bucketAV required outbound access to port 80, as Amazon Linux 2 used HTTP to download packages. With the switch to Amazon Linux 2023, this is no longer required. Therefore, we are removing the requirement for outbound access on TCP port 80. In case you are using the fulfillment option Dedicated public VPC or Dedicated private VPC, the security group rules and Network Access Control Lists will be updated automatically when updating to the latest version of bucketAV. For those who are using the Existing VPC option, only the security group rules will be updated automatically. But don’t forget to update NACLs and the rest of your networking configuration manually.

Run Lambda in VPC

The core of bucketAV that scans files from S3 or R2 runs on EC2 instances within a VPC. However, for some additional features, we use Lambda functions. By default, a Lambda function runs in a network managed by AWS, with unrestricted access to the Internet and therefore all AWS APIs.

However, in highly regulated environments, it is necessary to run Lambda functions in a VPC as well. We are happy to announce that it is now possible to run all Lambda functions deployed by bucketAV in a VPC as well.

Running Lambda functions in a VPC is only possible when using the fulfillment option Existing VPC (see network topology). Use the configuration parameter LambdaSubnets to configure the subnets for the Lambda functions. Ensure, that the subnets have access to the endpoints specified in the Existing VPC Network Guide.

Remember that many add-ons are utilizing Lambda functions as well. Therefore, we added the configuration parameters LambdaVpc and LambdaSubnets to the add-ons as well. Please note, each of the add-ons requires access to AWS API endpoints. So ensure to check the documentation for each add-on.

• On-Access Scan Add-On: Run Lambda in a VPC
• Quarantine Add-On: Run Lambda in a VPC
• Move Clean Add-On: Run Lambda in a VPC
• Move Unscannable Add-On: Run Lambda in a VPC
• Scheduled Scan Add-On: Run Lambda in a VPC
• Reporting Add-On: Run Lambda in a VPC
• Security Hub Add-On: Run Lambda in a VPC
• OpsCenter Add-On: Run Lambda in a VPC
• Asynchronous HTTPS API Add-On: Run Lambda in a VPC

Feedback

Do you have any questions? Are you missing any features? Please let us know! hello@bucketav.com