Move unscannable
An Add-On implements the move action.
Setup
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-move-no. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the TargetBucketName parameter to an existing S3 bucket where unscannable files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-move-no. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the TargetBucketName parameter to an existing S3 bucket where unscannable files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Multi-account setup
This plugin supports a multi-account setup.
IAM role-based access requires version >= 2.4.0 of this Add-On.
In case you are using the recommended IAM role-based access, the add-on works out of the box across AWS accounts. Only when the source bucket does not belong to the same AWS account than the target/quarantine bucket, you need to configure a bucket policy. See IAM role-based access for add-ons.
In case you are using S3 bucket-policy-based access, the add-on requires a bucket policy on the target/quarantine bucket. See S3 bucket-policy-based access for add-ons.
CloudFormation snippet
# [...]
Resources:
# [...]
MoveNo:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
TargetBucketName: 'YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.10.0/bucketav-add-on-move-no.yaml'
# [...]
Resources:
# [...]
MoveNo:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
TargetBucketName: 'YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.10.0/bucketav-add-on-move-no-cloudflare.yaml'
Terraform snippet
resource "aws_cloudformation_stack" "bucketav_add_on_move_no" {
name = "bucketav-move-no"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.10.0/bucketav-add-on-move-no.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
TargetBucketName = "YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES" # TODO replace bucket name placeholder
}
}
resource "aws_cloudformation_stack" "bucketav_add_on_move_no" {
name = "bucketav-move-no"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.10.0/bucketav-add-on-move-no-cloudflare.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
TargetBucketName = "YOUR_BUCKET_NAME_FOR_UNSCANNABLE_FILES" # TODO replace bucket name placeholder
}
}
Update
- To update this Add-On to version v2.10.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-move-no, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.10.0/bucketav-add-on-move-no.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
- To update this Add-On to version v2.10.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-move-no, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.10.0/bucketav-add-on-move-no-cloudflare.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the unscannable files into the target bucket.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
Limitations
- S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.
Run Lambda in a VPC
By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.
The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):
https://s3.REGION.amazonaws.com
https://states.REGION.amazonaws.com
https://dynamodb.REGION.amazonaws.com (only if AWS account connections are used)
https://ssmmessages.REGION.amazonaws.com (only if AWS account connections are used)
https://secretsmanager.REGION.amazonaws.com (only when scanning Cloudflare R2 buckets)
Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.
Release Notes
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.10.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.10.0/bucketav-add-on-move-no.yaml
v2.9.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.9.0/bucketav-add-on-move-no.yaml
v2.8.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.8.0/bucketav-add-on-move-no.yaml
v2.7.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.7.1/bucketav-add-on-move-no.yaml
v2.7.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.7.0/bucketav-add-on-move-no.yaml
v2.6.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.6.0/bucketav-add-on-move-no.yaml
v2.5.0
Changes:
- Support for files up to 5 TB in size
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.5.0/bucketav-add-on-move-no.yaml
v2.4.1
Changes:
- Multi-account with S3 bucket policies was broken
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.4.1/bucketav-add-on-move-no.yaml
v2.4.0
Changes:
- Multi-account with IAM roles
Release date:2024-03-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.4.0/bucketav-add-on-move-no.yaml
v2.3.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.3.0/bucketav-add-on-move-no.yaml
v2.2.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.2.0/bucketav-add-on-move-no.yaml
v2.1.0
Changes:
- Update Lambda runtime to Node.js 18
Release date:2023-08-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.1.0/bucketav-add-on-move-no.yaml
v2.0.0
Changes:
- Initial release
Release date:2022-11-01
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/v2.0.0/bucketav-add-on-move-no.yaml
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.10.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.10.0/bucketav-add-on-move-no-cloudflare.yaml
v2.9.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.9.0/bucketav-add-on-move-no-cloudflare.yaml
v2.8.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.8.0/bucketav-add-on-move-no-cloudflare.yaml
v2.7.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.7.1/bucketav-add-on-move-no-cloudflare.yaml
v2.7.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.7.0/bucketav-add-on-move-no-cloudflare.yaml
v2.6.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/move-no/cloudflare/v2.6.0/bucketav-add-on-move-no-cloudflare.yaml