Move unscannable

An Add-On implements the move action.

Setup

Install Add-On

  1. Set the Stack name to bucketav-move-no.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the TargetBucketName parameter to an existing S3 bucket where unscannable files are stored.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.

Target bucket in different AWS account

If you have a multi-account setup, you might run the bucketAV in AWS account a while your target bucket is created in AWS account b.

Add the following bucket policy statements to your target S3 bucket in account b to grant bucketAV from account a access.

  • Replace ROLE_ARN with the MoveRoleArn output of the CloudFormation bucketav-move-no stack from account a.
  • Replace BUCKET_NAME with the name of the target S3 bucket from account b.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "bucketAVRequired1",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:ListBucket*",
    "Resource": "arn:aws:s3:::BUCKET_NAME"
  }, {
    "Sid": "bucketAVRequired2",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:PutObject*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }]
}

When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter KMSKeyRestriction to control access.

Source bucket in different AWS account

If you have a multi-account setup, you might run the bucketAV in AWS account a while the source bucket is created in AWS account b.

Add the following bucket policy statements to your source S3 bucket in account b to grant bucketAV from account a access.

  • Replace ROLE_ARN with the MoveRoleArn output of the CloudFormation bucketav-move-no stack from account a.
  • Replace BUCKET_NAME with the name of the source S3 bucket from account b.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": "s3:ListBucket*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "ROLE_ARN"
      },
      "Action": [
        "s3:GetObject*",
        "s3:DeleteObject*"
      ],
      "Resource": "arn:aws:s3:::BUCKET_NAME/*"
    }
  ]
}

When using KMS to encrypt the S3 bucket or objects, please note that a customer-managed KMS key is necessary for cross-account access. Use a KMS key policy and the add-on parameter KMSKeyRestriction to control access.

Terraform

resource "aws_cloudformation_stack" "bucketav_add_on_move_no" {
  name         = "bucketav-move-no"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.1.0/bucketav-add-on-move-no.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
    TargetBucketName = "YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES" # TODO replace bucket name placeholder
  }
}

Update

Which version am I using?

  1. To update this add-on to version v2.1.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-move-no, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.1.0/bucketav-add-on-move-no.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture

The following AWS services are used:

  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to move the unscannable files into the target S3 bucket.
  • CloudWatch Alarms to monitor the used AWS services.

Limitations

  • Only files up to 5 GB are moved.
  • S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email