Configuration

bucketAV is configured via AWS CloudFormation.

View configuration parameters (#)

To view the current configuration:

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. Click on the Parameters tab.

Now, you can see the configuration parameters.

Change configuration parameters (#)

To change the configuration parameters of bucketAV:

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the bucketAV stack (if you followed the docs, the name is bucketav).
  5. At the top right, click on Update.
  6. In the next step, just click Next.
  7. Now, you can change the configuration parameters.
  8. Click Next.
  9. In the next step, just click Next.
  10. At the bottom, check “I acknowledge that AWS CloudFormation might create IAM resources.” and click Submit.

It can take several minutes for an update to finish!

List of all configuration parameters (#)

ParameterDescriptionDefaultAllowed valuesEnginesDelivery Methods
Admin
InfrastructureAlarmsEmailOptional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation).allall
Auto Scaling Group
AutoScalingMaxSizeMaximum number of EC2 instances scanning files (in production, we recommend at least 2 for high availability).1Must be >= 1allall
AutoScalingMinSizeMinimum number of EC2 instances scanning files (in production, we recommend 2 for high availability).1Must be >= 0allall
CapacityStrategyTake advantage of unused EC2 capacity in the AWS cloud by launching spot instances that are up to 90% cheaper than on-demand prices. Keep in mind that spot instances can be interrupted at any time and are replaced automatically!SpotWithoutAlternativeInstanceTypeWithOnDemandFallbackOne of SpotWithOnDemandFallback, OnDemandOnly, SpotOnly, SpotOnlyWithoutAlternativeInstanceType, or SpotWithoutAlternativeInstanceTypeWithOnDemandFallbackallall
Deprecated
CloudWatchIntegrationDeprecated, will be removed in v3; this is now on by default.falseOne of true, falseclamavall
OpsCenterIntegrationDeprecated, will be removed in v3; please use the OpsCenter integration Add-On instead (https://bucketav.com/add-ons/ops-center/).falseOne of true, falseclamavall
SecurityHubIntegrationDeprecated, will be removed in v3; please use the Security Hub integration Add-On instead (https://bucketav.com/add-ons/security-hub/).falseOne of true, falseclamavall
EC2
InstanceTypeSpecifies the instance type of the EC2 instance (low performance for t3a.small and t3.small)m5.largeOne of t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlargeallall
KeyNameName of the EC2 key pair to log in via SSH (username: ec2-user).Must be a valid EC2 key pair nameallall
LogsRetentionInDaysSpecifies the number of days you want to retain log events.14One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653allall
SubnetsSubnets used for scanners.Valid subnet IDsallshared-vpc
SystemsManagerAccessEnable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well.falseOne of true, falseallall
VolumeIopsThe provisioned I/O operations per second (IOPS).30003000-16000sophosall
VolumeSizeThe size of the EBS volume, in gibibytes (GiB). You can only scan files that are smaller than VolumeSize-16. Max S3 file size 5120 GiB.3232-5136sophosall
VolumeThroughputThe provisioned throughput per second in MiB.125125-1000sophosall
VPCEC2 instances that scan the files are launched into this VPC.Valid VPC IDallshared-vpc
Permissions
AWSAccountRestrictionOptional allowlist of all the AWS accounts that send S3 Notifications (e.g., 111111111111,222222222222,333333333333; only required in Multi-Account setups).allall
AWSOrganizationRestrictionOptional allowlist of all the AWS organizations that send S3 Notifications (e.g., o-1111111111,o-2222222222,o-3333333333; only required in Multi-Account setups).allall
KMSKeyRestrictionRestrict access to specific KMS keys (e.g. arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,arn:aws:kms:us-east-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321 or * to allow access to all KMS keys).*allall
ManagedPolicyArnsOptional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances.allall
PermissionsBoundaryOptional IAM policy ARN that will be used as the permissions boundary for all roles.allall
S3BucketRestrictionRestrict access to specific S3 buckets (e.g. arn:aws:s3:::bucket-a,arn:aws:s3:::bucket-b or * to allow access to all S3 buckets).*allall
S3ObjectRestrictionRestrict access to specific S3 objects (e.g. arn:aws:s3:::bucket-a/*,arn:aws:s3:::bucket-b/* or * to allow access to all S3 objects).*allall
Scan
AdditionalDatabaseUrlsOptional comma-delimited list of ClamAV database files available via http(s).clamavall
DeleteInfectedFilesAutomatically delete infected files.trueOne of true, falseallall
EnableCacheEnable cache checks for hash sums of scanned files (disable only during performance tests).trueOne of true, falseclamavall
GovernanceEnable governance checks.trueOne of true, falseallall
ReportCleanFilesReport clean files to the SNS topic (recommended for better visibility).trueOne of true, falseallall
ScanDelayInSecondsDelay the scanning of objects by 0-900 seconds.00-900allall
TagFilesTag S3 object upon successful scan accordingly with values of clean, infected, or no (infected only works if DeleteInfectedFiles != true) using the tag key specified by TagKey.trueOne of true, falseallall
TagKeyS3 object tag key used to specify values of clean, infected, or no.bucketavallall
VPC
AssociatePublicIpAddressSpecifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets).trueOne of true, falseallshared-vpc
FlowLogRetentionInDaysSpecifies the number of days you want to retain VPC Flow Log events (set to 0 to disable).14One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653allall
HttpsProxyForward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com and https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy.sophosshared-vpc
SecurityGroupIdsOptional comma-delimited list of security group IDs to attach to the EC2 instances.allshared-vpc
SSHIngressCidrIpOptional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32).allall
SSHIngressSecurityGroupIdOptional ingress rule allows SSH access from this security group.allshared-vpc
VpcCidrBlockThe IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16).10.0.0.0/16alldedicated-public-vpc, dedicated-private-vpc
VpcSubnetCidrBitsThe number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24).1256-14alldedicated-public-vpc, dedicated-private-vpc

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email