Guides

Move infected (quarantine)

An Add-On implements the quarantine action. By default, the Add-On does not quarantine unscannable files. You can change this via the QuarantineUnscannableFiles configuration parameter.

Setup

The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to false.

Install Add-On (requires a running bucketAV installation)

  1. Set the Stack name to bucketav-quarantine.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the QuarantineBucketName parameter to an existing S3 bucket where quarantined files are stored.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.

The DeleteInfectedFiles configuration parameter of the bucketAV stack must be set to false.

Install Add-On (requires a running bucketAV installation)

  1. Set the Stack name to bucketav-quarantine.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the QuarantineBucketName parameter to an existing R2 bucket where quarantined files are stored.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.

Multi-account setup

If you have a multi-account setup, you might want to scan buckets created in additional AWS accounts.

IAM role-based access requires version >= 2.8.0 of this Add-On. To update to the latest version, follow the update instructions.

Not available. Please contact us if you have a use case for it!

CloudFormation snippet

# [...]
Resources:
  # [...]
  Quarantine:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
        QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml'

# [...]
Resources:
  # [...]
  Quarantine:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
        QuarantineBucketName: 'YOUR_QUARANTINE_BUCKET_NAME' # TODO replace bucket name placeholder
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml'

Terraform snippet

resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
  name         = "bucketav-quarantine"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName    = "bucketav" # if you followed the docs, the name is bucketav
    QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
  }
}

resource "aws_cloudformation_stack" "bucketav_add_on_quarantine" {
  name         = "bucketav-quarantine"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName    = "bucketav" # if you followed the docs, the name is bucketav
    QuarantineBucketName = "YOUR_QUARANTINE_BUCKET_NAME" # TODO replace bucket name placeholder
  }
}

Update

Which version am I using?

  1. To update this Add-On to version v2.13.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-quarantine, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
  1. To update this Add-On to version v2.13.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-quarantine, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture

The following AWS services are used:

  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to move the infected files into the quarantine bucket.
  • CloudWatch Alarms to monitor the used AWS services.
  • CloudWatch Logs to store logs.

Limitations

  • S3 object ACLs are not preserved. Instead, we set the ACL bucket-owner-full-control.

Release Notes

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.

v2.13.0

Changes:

  • Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
  • Update Lambda Node.js runtime to version 22

Release date:2025-02-28

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.13.0/bucketav-add-on-quarantine.yaml

v2.12.0

Changes:

  • Reserved Concurrent Execution for Lambda functions

Release date:2024-11-19

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.12.0/bucketav-add-on-quarantine.yaml

v2.11.1

Changes:

  • Bug fixes

Release date:2024-10-02

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.1/bucketav-add-on-quarantine.yaml

v2.11.0

Changes:

  • Add CloudFormation output LambdaDeadLetterQueueName

Release date:2024-09-24

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.11.0/bucketav-add-on-quarantine.yaml

v2.10.0

Changes:

  • Add Lambda DLQs for async invoked functions
  • Bug fixes

Release date:2024-07-09

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.10.0/bucketav-add-on-quarantine.yaml

v2.9.0

Changes:

  • Support for files up to 5 TB in size

Release date:2024-04-05

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.9.0/bucketav-add-on-quarantine.yaml

v2.8.1

Changes:

  • Multi-account with S3 bucket policies was broken

Release date:2024-04-05

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.1/bucketav-add-on-quarantine.yaml

v2.8.0

Changes:

  • Multi-account with IAM roles

Release date:2024-03-15

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.8.0/bucketav-add-on-quarantine.yaml

v2.7.0

Changes:

  • Update Lambda runtime to Node.js 20

Release date:2024-02-14

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.7.0/bucketav-add-on-quarantine.yaml

v2.6.0

Changes:

  • Add Service Discovery

Release date:2023-12-07

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.6.0/bucketav-add-on-quarantine.yaml

v2.5.0

Changes:

  • Update Lambda runtime to Node.js 18
  • Performance improvements

Release date:2023-08-31

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.5.0/bucketav-add-on-quarantine.yaml

v2.4.0

Changes:

  • Update Lambda runtime to Node.js 16

Release date:2022-06-08

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.4.0/bucketav-add-on-quarantine.yaml

v2.3.0

Changes:

  • Adding support for customer-managed KMS keys

Release date:2022-04-14

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.3.0/bucketav-add-on-quarantine.yaml

v2.2.1

Changes:

  • Bug fixes

Release date:2022-03-01

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.1/bucketav-add-on-quarantine.yaml

v2.2.0

Changes:

  • Adding regex to ignore objects

Release date:2022-02-16

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.2.0/bucketav-add-on-quarantine.yaml

v2.1.2

Changes:

  • Improve Lambda config

Release date:2021-10-22

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.2/bucketav-add-on-quarantine.yaml

v2.1.1

Changes:

  • Improve S3 policy

Release date:2021-10-20

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.1/bucketav-add-on-quarantine.yaml

v2.1.0

Changes:

  • Support for QuarantineUnscannableFiles

Release date:2021-10-19

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.1.0/bucketav-add-on-quarantine.yaml

v2.0.0

Changes:

  • Initial release

Release date:2021-06-06

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/v2.0.0/bucketav-add-on-quarantine.yaml

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.

v2.13.0

Changes:

  • Comply with SecurityHub Control [StepFunctions.1] Step Functions state machines should have logging turned on
  • Update Lambda Node.js runtime to version 22

Release date:2025-02-28

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.13.0/bucketav-add-on-quarantine-cloudflare.yaml

v2.12.0

Changes:

  • Reserved Concurrent Execution for Lambda functions

Release date:2024-11-19

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.12.0/bucketav-add-on-quarantine-cloudflare.yaml

v2.11.1

Changes:

  • Bug fixes

Release date:2024-10-02

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.1/bucketav-add-on-quarantine-cloudflare.yaml

v2.11.0

Changes:

  • Add CloudFormation output LambdaDeadLetterQueueName

Release date:2024-09-24

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.11.0/bucketav-add-on-quarantine-cloudflare.yaml

v2.10.0

Changes:

  • Add Lambda DLQs for async invoked functions
  • Bug fixes

Release date:2024-07-09

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/quarantine/cloudflare/v2.10.0/bucketav-add-on-quarantine-cloudflare.yaml

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email