Move infected (quarantine)
An Add-On implements the quarantine action. By default, the Add-On does not quarantine unscannable files. You can change this via the QuarantineUnscannableFiles configuration parameter.
Setup
The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to
false.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-quarantine. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the QuarantineBucketName parameter to an existing S3 bucket where quarantined files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to
false.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-quarantine. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the QuarantineBucketName parameter to an existing R2 bucket where quarantined files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Multi-account setup
This plugin supports a multi-account setup.
IAM role-based access requires version >= 2.8.0 of this Add-On.
In case you are using the recommended IAM role-based access, the add-on works out of the box across AWS accounts. Only when the source bucket does not belong to the same AWS account than the target/quarantine bucket, you need to configure a bucket policy. See IAM role-based access for add-ons.
In case you are using S3 bucket-policy-based access, the add-on requires a bucket policy on the target/quarantine bucket. See S3 bucket-policy-based access for add-ons.
CloudFormation snippet
# [...]
Resources:
# [...]
Quarantine:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.14.0/bucketav-add-on-quarantine.yaml'
# [...]
Resources:
# [...]
Quarantine:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.14.0/bucketav-add-on-quarantine-cloudflare.yaml'
Terraform snippet
resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
name = "bucketav-quarantine"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.14.0/bucketav-add-on-quarantine.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
name = "bucketav-quarantine"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.14.0/bucketav-add-on-quarantine-cloudflare.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
Update
- To update this Add-On to version v2.14.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-quarantine, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.14.0/bucketav-add-on-quarantine.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
- To update this Add-On to version v2.14.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-quarantine, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.14.0/bucketav-add-on-quarantine-cloudflare.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the infected files into the quarantine bucket.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
Limitations
- S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.
Run Lambda in a VPC
By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.
The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):
https://s3.REGION.amazonaws.com
https://states.REGION.amazonaws.com
https://dynamodb.REGION.amazonaws.com (only if AWS account connections are used)
https://ssmmessages.REGION.amazonaws.com (only if AWS account connections are used)
https://secretsmanager.REGION.amazonaws.com (only when scanning Cloudflare R2 buckets)
Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.
Release Notes
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.14.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.14.0/bucketav-add-on-quarantine.yaml
v2.13.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml
v2.12.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.12.0/bucketav-add-on-quarantine.yaml
v2.11.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.1/bucketav-add-on-quarantine.yaml
v2.11.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.0/bucketav-add-on-quarantine.yaml
v2.10.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.10.0/bucketav-add-on-quarantine.yaml
v2.9.0
Changes:
- Support for files up to 5 TB in size
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.9.0/bucketav-add-on-quarantine.yaml
v2.8.1
Changes:
- Multi-account with S3 bucket policies was broken
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.1/bucketav-add-on-quarantine.yaml
v2.8.0
Changes:
- Multi-account with IAM roles
Release date:2024-03-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.0/bucketav-add-on-quarantine.yaml
v2.7.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.7.0/bucketav-add-on-quarantine.yaml
v2.6.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.6.0/bucketav-add-on-quarantine.yaml
v2.5.0
Changes:
- Update Lambda runtime to Node.js 18
- Performance improvements
Release date:2023-08-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.5.0/bucketav-add-on-quarantine.yaml
v2.4.0
Changes:
- Update Lambda runtime to Node.js 16
Release date:2022-06-08
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.4.0/bucketav-add-on-quarantine.yaml
v2.3.0
Changes:
- Adding support for customer-managed KMS keys
Release date:2022-04-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.3.0/bucketav-add-on-quarantine.yaml
v2.2.1
Changes:
- Bug fixes
Release date:2022-03-01
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.1/bucketav-add-on-quarantine.yaml
v2.2.0
Changes:
- Adding regex to ignore objects
Release date:2022-02-16
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.0/bucketav-add-on-quarantine.yaml
v2.1.2
Changes:
- Improve Lambda config
Release date:2021-10-22
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.2/bucketav-add-on-quarantine.yaml
v2.1.1
Changes:
- Improve S3 policy
Release date:2021-10-20
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.1/bucketav-add-on-quarantine.yaml
v2.1.0
Changes:
- Support for QuarantineUnscannableFiles
Release date:2021-10-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.0/bucketav-add-on-quarantine.yaml
v2.0.0
Changes:
- Initial release
Release date:2021-06-06
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.0.0/bucketav-add-on-quarantine.yaml
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.14.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.14.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.13.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.12.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.12.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.11.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.1/bucketav-add-on-quarantine-cloudflare.yaml
v2.11.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.10.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.10.0/bucketav-add-on-quarantine-cloudflare.yaml