Delete infected files

An Add-On implements the delete action. By default, the Add-On deletes all infected files. You can exclude files from deletion based on the finding (e.g., potentially unwanted applications) via the IgnoreFindings configuration parameter, or based on the object key via the IgnoreObjectsExpression configuration parameter.

If the infected S3 object is versioned, the object version is deleted, not the object itself. In other words, no delete marker is added.

Before bucketAV v3.5.0, deleting infected files was implemented by the bucketAV stack itself, controlled by the DeleteInfectedFiles configuration parameter (default true). The parameter is deprecated and defaults to false since v3.5.0. To migrate an existing installation, deploy this Add-On first, and set the DeleteInfectedFiles configuration parameter to false afterwards.

Do not combine this Add-On with the Quarantine infected files Add-On for the same source buckets. Both Add-Ons react to infected files.

Setup

The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to false (the default since bucketAV v3.5.0).

(requires a running bucketAV installation)

  1. Set the Stack name to bucketav-delete-infected.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Select I acknowledge that AWS CloudFormation might create IAM resources.
  4. Click on the Create stack button to save.

The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to false (the default since bucketAV v3.5.0).

(requires a running bucketAV installation)

  1. Set the Stack name to bucketav-delete-infected.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Select I acknowledge that AWS CloudFormation might create IAM resources.
  4. Click on the Create stack button to save.

Multi-account setup

This plugin supports a multi-account setup.

In case you are using the recommended IAM role-based access, the add-on works out of the box across AWS accounts.

In case you are using S3 bucket-policy-based access, the add-on requires a bucket policy on the source bucket. See S3 bucket-policy-based access for add-ons.

Not available. Please contact us if you have a use case for it!

CloudFormation snippet

# [...]
Resources:
  # [...]
  DeleteInfected:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/v1.0.0/bucketav-add-on-delete-infected.yaml'
# [...]
Resources:
  # [...]
  DeleteInfected:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/cloudflare/v1.0.0/bucketav-add-on-delete-infected-cloudflare.yaml'

Terraform snippet

resource "aws_cloudformation_stack" "bucketav_add_on_delete_infected" {
  name         = "bucketav-delete-infected"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/v1.0.0/bucketav-add-on-delete-infected.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
  }
}
resource "aws_cloudformation_stack" "bucketav_add_on_delete_infected" {
  name         = "bucketav-delete-infected"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/cloudflare/v1.0.0/bucketav-add-on-delete-infected-cloudflare.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
  }
}

Update

Which version am I using?

  1. To update this Add-On to version v1.0.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-delete-infected, otherwise search for the name you specified.
  4. Select the stack and press the Update stack button; press Make a direct update.
  5. Select Replace existing template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/v1.0.0/bucketav-add-on-delete-infected.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next.
  9. Scroll to the bottom of the page and click on Submit.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
  1. To update this Add-On to version v1.0.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-delete-infected, otherwise search for the name you specified.
  4. Select the stack and press the Update stack button; press Make a direct update.
  5. Select Replace existing template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/cloudflare/v1.0.0/bucketav-add-on-delete-infected-cloudflare.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next.
  9. Scroll to the bottom of the page and click on Submit.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture

The following AWS services are used:

  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to delete the infected files.
  • CloudWatch Alarms to monitor the used AWS services.
  • CloudWatch Logs to store logs.

Run Lambda in a VPC

By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.

The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):

https://s3.REGION.amazonaws.com
https://ssm.REGION.amazonaws.com (only if AWS account connections are used or when scanning Cloudflare R2 buckets)
https://dynamodb.REGION.amazonaws.com (only if AWS account connections are used)
https://secretsmanager.REGION.amazonaws.com (only when scanning Cloudflare R2 buckets)

Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.

Release Notes

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.

v1.0.0

Changes:

  • Initial release

Release date:2026-07-07

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/v1.0.0/bucketav-add-on-delete-infected.yaml

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.

v1.0.0

Changes:

  • Initial release

Release date:2026-07-07

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/delete-infected/cloudflare/v1.0.0/bucketav-add-on-delete-infected-cloudflare.yaml

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email