Move clean
An Add-On implements the move action. By default, unscannable files are not moved by the Add-On. You can change this via the MoveUnscannableFiles
configuration parameter.
With this add-on, you can ensure that files are scanned before users can download them.
Setup
The ReportCleanFiles configuration parameter of the bucketAV stack must be set to
true
.
- Set the Stack name to
bucketav-move-clean
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the TargetBucketName parameter to an existing S3 bucket where clean files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Target bucket in different AWS account
If you have a multi-account setup, you might run the bucketAV in AWS account a while your target bucket is created in AWS account b.
Add the following bucket policy statements to your target S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARN
with the MoveRoleArn output of the CloudFormationbucketav-move-clean
stack from account a. - Replace
BUCKET_NAME
with the name of the target S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "bucketAVRequired1",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}, {
"Sid": "bucketAVRequired2",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:PutObject*",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}]
}
When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter
KMSKeyRestriction
to control access.
Source bucket in different AWS account
If you have a multi-account setup, you might run the bucketAV in AWS account a while the source bucket is created in AWS account b.
Add the following bucket policy statements to your source S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARN
with the MoveRoleArn output of the CloudFormationbucketav-move-clean
stack from account a. - Replace
BUCKET_NAME
with the name of the source S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": [
"s3:GetObject*",
"s3:DeleteObject*"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter
KMSKeyRestriction
to control access.
Terraform
resource "aws_cloudformation_stack" "bucketav_add_on_move_clean" {
name = "bucketav-move-clean"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-clean/v2.5.0/bucketav-add-on-move-clean.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is `bucketav`
TargetBucketName = "YOUR_BUCKET_NAME_FOR_CLEAN_FILES" # TODO replace bucket name placeholder
}
}
Update
- To update this add-on to version v2.5.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-move-clean
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-clean/v2.5.0/bucketav-add-on-move-clean.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the clean files into the target S3 bucket.
- CloudWatch Alarms to monitor the used AWS services.
Limitations
- If you set
MoveUnscannableFiles
totrue
, only files up to 5 GB are moved. - S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.