Move infected (quarantine)
An Add-On implements the quarantine action. By default, the Add-On does not quarantine unscannable files. You can change this via the QuarantineUnscannableFiles configuration parameter. You can also exclude files from quarantine based on the finding (e.g., potentially unwanted applications) via the IgnoreFindings configuration parameter (requires version >= 2.17.0 of this Add-On).
Setup
Do not combine this Add-On with the Delete infected files Add-On for the same source buckets. Both Add-Ons react to infected files.
(requires a running bucketAV installation)The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to
false(the default since bucketAV v3.5.0).
- Set the Stack name to
bucketav-quarantine. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the QuarantineBucketName parameter to an existing S3 bucket where quarantined files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
(requires a running bucketAV installation)The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to
false(the default since bucketAV v3.5.0).
- Set the Stack name to
bucketav-quarantine. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the QuarantineBucketName parameter to an existing R2 bucket where quarantined files are stored.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
Multi-account setup
This plugin supports a multi-account setup.
IAM role-based access requires version >= 2.8.0 of this Add-On.
In case you are using the recommended IAM role-based access, the add-on works out of the box across AWS accounts. Only when the source bucket does not belong to the same AWS account than the target/quarantine bucket, you need to configure a bucket policy. See IAM role-based access for add-ons.
In case you are using S3 bucket-policy-based access, the add-on requires a bucket policy on the target/quarantine bucket. See S3 bucket-policy-based access for add-ons.
CloudFormation snippet
# [...]
Resources:
# [...]
Quarantine:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.16.0/bucketav-add-on-quarantine.yaml'
# [...]
Resources:
# [...]
Quarantine:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.16.0/bucketav-add-on-quarantine-cloudflare.yaml'
Terraform snippet
resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
name = "bucketav-quarantine"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.16.0/bucketav-add-on-quarantine.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
name = "bucketav-quarantine"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.16.0/bucketav-add-on-quarantine-cloudflare.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
Update
- To update this Add-On to version v2.16.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-quarantine, otherwise search for the name you specified. - Select the stack and press the Update stack button; press Make a direct update.
- Select Replace existing template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.16.0/bucketav-add-on-quarantine.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next.
- Scroll to the bottom of the page and click on Submit.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
- To update this Add-On to version v2.16.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-quarantine, otherwise search for the name you specified. - Select the stack and press the Update stack button; press Make a direct update.
- Select Replace existing template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.16.0/bucketav-add-on-quarantine-cloudflare.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Next.
- Scroll to the bottom of the page and click on Submit.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to move the infected files into the quarantine bucket.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
Limitations
- S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.
Run Lambda in a VPC
By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.
The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):
https://s3.REGION.amazonaws.com
https://states.REGION.amazonaws.com
https://dynamodb.REGION.amazonaws.com (only if AWS account connections are used)
https://ssmmessages.REGION.amazonaws.com (only if AWS account connections are used)
https://secretsmanager.REGION.amazonaws.com (only when scanning Cloudflare R2 buckets)
Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.
Release Notes
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.16.0
Changes:
- Add missing Lambda async DLQs
- Bug Fixes
Release date:2025-07-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.16.0/bucketav-add-on-quarantine.yaml
v2.15.0
Changes:
- Fix VPC config for Lambda function StateMachineNameGeneratorFunction
Release date:2025-05-22
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.15.0/bucketav-add-on-quarantine.yaml
v2.14.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.14.0/bucketav-add-on-quarantine.yaml
v2.13.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml
v2.12.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.12.0/bucketav-add-on-quarantine.yaml
v2.11.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.1/bucketav-add-on-quarantine.yaml
v2.11.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.0/bucketav-add-on-quarantine.yaml
v2.10.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.10.0/bucketav-add-on-quarantine.yaml
v2.9.0
Changes:
- Support for files up to 5 TB in size
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.9.0/bucketav-add-on-quarantine.yaml
v2.8.1
Changes:
- Multi-account with S3 bucket policies was broken
Release date:2024-04-05
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.1/bucketav-add-on-quarantine.yaml
v2.8.0
Changes:
- Multi-account with IAM roles
Release date:2024-03-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.0/bucketav-add-on-quarantine.yaml
v2.7.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.7.0/bucketav-add-on-quarantine.yaml
v2.6.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.6.0/bucketav-add-on-quarantine.yaml
v2.5.0
Changes:
- Update Lambda runtime to Node.js 18
- Performance improvements
Release date:2023-08-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.5.0/bucketav-add-on-quarantine.yaml
v2.4.0
Changes:
- Update Lambda runtime to Node.js 16
Release date:2022-06-08
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.4.0/bucketav-add-on-quarantine.yaml
v2.3.0
Changes:
- Adding support for customer-managed KMS keys
Release date:2022-04-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.3.0/bucketav-add-on-quarantine.yaml
v2.2.1
Changes:
- Bug fixes
Release date:2022-03-01
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.1/bucketav-add-on-quarantine.yaml
v2.2.0
Changes:
- Adding regex to ignore objects
Release date:2022-02-16
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.0/bucketav-add-on-quarantine.yaml
v2.1.2
Changes:
- Improve Lambda config
Release date:2021-10-22
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.2/bucketav-add-on-quarantine.yaml
v2.1.1
Changes:
- Improve S3 policy
Release date:2021-10-20
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.1/bucketav-add-on-quarantine.yaml
v2.1.0
Changes:
- Support for QuarantineUnscannableFiles
Release date:2021-10-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.0/bucketav-add-on-quarantine.yaml
v2.0.0
Changes:
- Initial release
Release date:2021-06-06
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.0.0/bucketav-add-on-quarantine.yaml
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.16.0
Changes:
- Add missing Lambda async DLQs
- Bug Fixes
Release date:2025-07-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.16.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.15.0
Changes:
- Fix VPC config for Lambda function StateMachineNameGeneratorFunction
Release date:2025-05-22
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.15.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.14.0
Changes:
- Optionally run Lambda functions in a VPC
Release date:2025-04-15
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.14.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.13.0
Changes:
- Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.12.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.12.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.11.1
Changes:
- Bug fixes
Release date:2024-10-02
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.1/bucketav-add-on-quarantine-cloudflare.yaml
v2.11.0
Changes:
- Add CloudFormation output LambdaDeadLetterQueueName
Release date:2024-09-24
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.0/bucketav-add-on-quarantine-cloudflare.yaml
v2.10.0
Changes:
- Add Lambda DLQs for async invoked functions
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.10.0/bucketav-add-on-quarantine-cloudflare.yaml