Move unscannable
An Add-On implements the move action.
Setup
- Set the Stack name to
bucketav-move-no
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the TargetBucketName parameter to an existing S3 bucket where unscannable files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Target bucket in different AWS account
If you have a multi-account setup, you might run the bucketAV in AWS account a while your target bucket is created in AWS account b.
Add the following bucket policy statements to your target S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARN
with the MoveRoleArn output of the CloudFormationbucketav-move-no
stack from account a. - Replace
BUCKET_NAME
with the name of the target S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "bucketAVRequired1",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}, {
"Sid": "bucketAVRequired2",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:PutObject*",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}]
}
When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter
KMSKeyRestriction
to control access.
Source bucket in different AWS account
If you have a multi-account setup, you might run the bucketAV in AWS account a while the source bucket is created in AWS account b.
Add the following bucket policy statements to your source S3 bucket in account b to grant bucketAV from account a access.
- Replace
ROLE_ARN
with the MoveRoleArn output of the CloudFormationbucketav-move-no
stack from account a. - Replace
BUCKET_NAME
with the name of the source S3 bucket from account b.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": [
"s3:GetObject*",
"s3:DeleteObject*"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter
KMSKeyRestriction
to control access.
Terraform
resource "aws_cloudformation_stack" "bucketav_add_on_move_no" {
name = "bucketav-move-no"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.1.0/bucketav-add-on-move-no.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
TargetBucketName = "YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES" # TODO replace bucket name placeholder
}
}
Update
- To update this add-on to version v2.1.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-move-no
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.1.0/bucketav-add-on-move-no.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the unscannable files into the target S3 bucket.
- CloudWatch Alarms to monitor the used AWS services.
Limitations
- Only files up to 5 GB are moved.
- S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.