Configuration
bucketAV is configured via AWS CloudFormation.
View configuration parameters
To view the current configuration:
- Visit the AWS CloudFormation Console.
- Ensure that you are in the correct region.
- Navigate to Stacks.
- Click on the bucketAV stack (if you followed the docs, the name is
bucketav). - Click on the Parameters tab.
Now, you can see the configuration parameters.
Change configuration parameters
To change the configuration parameters of bucketAV:
- Visit the AWS CloudFormation Console.
- Ensure that you are in the correct region.
- Navigate to Stacks.
- Click on the bucketAV stack (if you followed the docs, the name is
bucketav). - At the top right, click on Update.
- In the next step, just click Next.
- Now, you can change the configuration parameters.
- Click Next.
- In the next step, just click Next.
- At the bottom, check “I acknowledge that AWS CloudFormation might create IAM resources.” and click Submit.
It can take several minutes for an update to finish!
List of all configuration parameters
| Parameter | Description | Default | Allowed values | Delivery Methods | ||
|---|---|---|---|---|---|---|
| Admin (#) | ||||||
| InfrastructureAlarmsEmail (#) | Optional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation). | all | ||||
| Auto Scaling Group (#) | ||||||
| AutoScalingMaxSize (#) | Maximum number of EC2 instances scanning files (in production, we recommend at least 2 for high availability). | 1 | Must be >= 1 | all | ||
| AutoScalingMinSize (#) | Minimum number of EC2 instances scanning files (in production, we recommend 2 for high availability). | 1 | Must be >= 0 | all | ||
| CapacityStrategy (#) | Take advantage of unused EC2 capacity in the AWS cloud by launching spot instances that are up to 90% cheaper than on-demand prices. Keep in mind that spot instances can be interrupted at any time and are replaced automatically! | SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | One of SpotWithOnDemandFallback, OnDemandOnly, SpotOnly, SpotOnlyWithoutAlternativeInstanceType, or SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | all | ||
| EC2 (#) | ||||||
| InstanceType (#) | Specifies the instance type of the EC2 instance (low performance for t3a.small and t3.small) | m5.large | One of t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge | all | ||
| KeyName (#) | Name of the EC2 key pair to log in via SSH (username: ec2-user). | Must be a valid EC2 key pair name | all | |||
| LogsRetentionInDays (#) | Specifies the number of days you want to retain log events. | 14 | One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | all | ||
| Subnets (#) | Subnets used for scanners. | Valid subnet IDs | shared-vpc | |||
| SystemsManagerAccess (#) | Enable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well. | false | One of true, false | all | ||
| VolumeIops (#) | The provisioned I/O operations per second (IOPS). | 3000 | 3000-16000 | all | ||
| VolumeSize (#) | The size of the EBS volume, in gibibytes (GiB). You can only scan files that are smaller than VolumeSize-16. Max S3 file size 5120 GiB. | 32 | 32-5136 | all | ||
| VolumeThroughput (#) | The provisioned throughput per second in MiB. | 125 | 125-1000 | all | ||
| VPC (#) | EC2 instances that scan the files are launched into this VPC. | Valid VPC ID | shared-vpc | |||
| Lambda (#) | ||||||
| AccountConnectionLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| AutoScalingGroupCalculatorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| DashboardLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| GovernanceLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| RefreshBucketCacheFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| RefreshServiceDiscoveryLambdaFunctionFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| StateMachineNameGeneratorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| Permissions (#) | ||||||
| AWSAccountRestriction (#) | Optional allowlist of all the AWS accounts that send S3 Notifications (e.g., 111111111111,222222222222,333333333333; only required in Multi-Account setups). | all | ||||
| AWSOrganizationRestriction (#) | Optional allowlist of all the AWS organizations that send S3 Notifications (e.g., o-1111111111,o-2222222222,o-3333333333; only required in Multi-Account setups). | all | ||||
| KMSKeyRestriction (#) | Restrict access to specific KMS keys (e.g. arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,arn:aws:kms:us-east-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321 or * to allow access to all KMS keys). | * | all | |||
| ManagedPolicyArns (#) | Optional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances. | all | ||||
| PermissionsBoundary (#) | Optional IAM policy ARN that will be used as the permissions boundary for all roles. | all | ||||
| S3BucketRestriction (#) | Restrict access to specific S3 buckets (e.g. arn:aws:s3:::bucket-a,arn:aws:s3:::bucket-b or * to allow access to all S3 buckets). | * | all | |||
| S3ObjectRestriction (#) | Restrict access to specific S3 objects (e.g. arn:aws:s3:::bucket-a/*,arn:aws:s3:::bucket-b/* or * to allow access to all S3 objects). | * | all | |||
| Scan (#) | ||||||
| DeleteInfectedFiles (#) | Automatically delete infected files. | true | One of true, false | all | ||
| Governance (#) | Enable governance checks. | true | One of true, false | all | ||
| ReportCleanFiles (#) | Report clean files to the SNS topic (recommended for better visibility). | true | One of true, false | all | ||
| ReportEventBridge (#) | Report scan results to EventBridge. | false | One of true, false | all | ||
| ScanDelayInSeconds (#) | Delay the scanning of objects by 0-900 seconds. | 0 | 0-900 | all | ||
| SophosLiveProtectionCloudLookups (#) | Live Protection cloud lookups use Sophos' SXL technology and infrastructure to enable the antivirus engine to determine whether a suspicious file is malicious or clean by querying Sophos's extensive database of both malware and clean files. SXL improves detection rates and lowers false-positives. The file hash is shared with Sophos if you enable this feature! | false | One of true, false | all | ||
| TagFiles (#) | Tag S3 object upon successful scan accordingly with values of clean, infected, or no (infected only works if DeleteInfectedFiles != true) using the tag key specified by TagKey. | true | One of true, false | all | ||
| TagKey (#) | S3 object tag key used to specify values of clean, infected, or no. | bucketav | all | |||
| VPC (#) | ||||||
| AssociatePublicIpAddress (#) | Specifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets). | true | One of true, false | shared-vpc | ||
| FlowLogRetentionInDays (#) | Specifies the number of days you want to retain VPC Flow Log events (set to 0 to disable). | 14 | One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | dedicated-public-vpc, dedicated-private-vpc | ||
| HttpsProxy (#) | Forward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com and https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy. | shared-vpc | ||||
| SecurityGroupIds (#) | Optional comma-delimited list of security group IDs to attach to the EC2 instances. | shared-vpc | ||||
| SSHIngressCidrIp (#) | Optional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32). | all | ||||
| SSHIngressSecurityGroupId (#) | Optional ingress rule allows SSH access from this security group. | shared-vpc | ||||
| VpcCidrBlock (#) | The IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16). | 10.0.0.0/16 | dedicated-public-vpc, dedicated-private-vpc | |||
| VpcSubnetCidrBits (#) | The number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24). | 12 | 6-14 | dedicated-public-vpc, dedicated-private-vpc | ||
| Parameter | Description | Default | Allowed values | Delivery Methods | ||
|---|---|---|---|---|---|---|
| Admin (#) | ||||||
| InfrastructureAlarmsEmail (#) | Optional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation). | all | ||||
| Auto Scaling Group (#) | ||||||
| AutoScalingMaxSize (#) | Maximum number of EC2 instances scanning files (in production, we recommend at least 2 for high availability). | 1 | Must be >= 1 | all | ||
| AutoScalingMinSize (#) | Minimum number of EC2 instances scanning files (in production, we recommend 2 for high availability). | 1 | Must be >= 0 | all | ||
| CapacityStrategy (#) | Take advantage of unused EC2 capacity in the AWS cloud by launching spot instances that are up to 90% cheaper than on-demand prices. Keep in mind that spot instances can be interrupted at any time and are replaced automatically! | SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | One of SpotWithOnDemandFallback, OnDemandOnly, SpotOnly, SpotOnlyWithoutAlternativeInstanceType, or SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | all | ||
| Deprecated (#) | ||||||
| CloudWatchIntegration (#) | Deprecated, will be removed in v3; this is now on by default. | false | One of true, false | all | ||
| OpsCenterIntegration (#) | Deprecated, will be removed in v3; please use the OpsCenter integration Add-On instead (https://bucketav.com/add-ons/ops-center/). | false | One of true, false | all | ||
| SecurityHubIntegration (#) | Deprecated, will be removed in v3; please use the Security Hub integration Add-On instead (https://bucketav.com/add-ons/security-hub/). | false | One of true, false | all | ||
| EC2 (#) | ||||||
| InstanceType (#) | Specifies the instance type of the EC2 instance (low performance for t3a.small and t3.small) | m5.large | One of t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge | all | ||
| KeyName (#) | Name of the EC2 key pair to log in via SSH (username: ec2-user). | Must be a valid EC2 key pair name | all | |||
| LogsRetentionInDays (#) | Specifies the number of days you want to retain log events. | 14 | One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | all | ||
| Subnets (#) | Subnets used for scanners. | Valid subnet IDs | shared-vpc | |||
| SystemsManagerAccess (#) | Enable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well. | false | One of true, false | all | ||
| VPC (#) | EC2 instances that scan the files are launched into this VPC. | Valid VPC ID | shared-vpc | |||
| Lambda (#) | ||||||
| AccountConnectionLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| AutoScalingGroupCalculatorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| DashboardLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| GovernanceLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| RefreshBucketCacheFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| RefreshServiceDiscoveryLambdaFunctionFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| StateMachineNameGeneratorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| Permissions (#) | ||||||
| AWSAccountRestriction (#) | Optional allowlist of all the AWS accounts that send S3 Notifications (e.g., 111111111111,222222222222,333333333333; only required in Multi-Account setups). | all | ||||
| AWSOrganizationRestriction (#) | Optional allowlist of all the AWS organizations that send S3 Notifications (e.g., o-1111111111,o-2222222222,o-3333333333; only required in Multi-Account setups). | all | ||||
| KMSKeyRestriction (#) | Restrict access to specific KMS keys (e.g. arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,arn:aws:kms:us-east-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321 or * to allow access to all KMS keys). | * | all | |||
| ManagedPolicyArns (#) | Optional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances. | all | ||||
| PermissionsBoundary (#) | Optional IAM policy ARN that will be used as the permissions boundary for all roles. | all | ||||
| S3BucketRestriction (#) | Restrict access to specific S3 buckets (e.g. arn:aws:s3:::bucket-a,arn:aws:s3:::bucket-b or * to allow access to all S3 buckets). | * | all | |||
| S3ObjectRestriction (#) | Restrict access to specific S3 objects (e.g. arn:aws:s3:::bucket-a/*,arn:aws:s3:::bucket-b/* or * to allow access to all S3 objects). | * | all | |||
| Scan (#) | ||||||
| AdditionalDatabaseUrls (#) | Optional comma-delimited list of ClamAV database files available via http(s). | all | ||||
| DeleteInfectedFiles (#) | Automatically delete infected files. | true | One of true, false | all | ||
| EnableCache (#) | Enable cache checks for hash sums of scanned files (disable only during performance tests). | true | One of true, false | all | ||
| Governance (#) | Enable governance checks. | true | One of true, false | all | ||
| ReportCleanFiles (#) | Report clean files to the SNS topic (recommended for better visibility). | true | One of true, false | all | ||
| ReportEventBridge (#) | Report scan results to EventBridge. | false | One of true, false | all | ||
| ScanDelayInSeconds (#) | Delay the scanning of objects by 0-900 seconds. | 0 | 0-900 | all | ||
| TagFiles (#) | Tag S3 object upon successful scan accordingly with values of clean, infected, or no (infected only works if DeleteInfectedFiles != true) using the tag key specified by TagKey. | true | One of true, false | all | ||
| TagKey (#) | S3 object tag key used to specify values of clean, infected, or no. | bucketav | all | |||
| VPC (#) | ||||||
| AssociatePublicIpAddress (#) | Specifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets). | true | One of true, false | shared-vpc | ||
| FlowLogRetentionInDays (#) | Specifies the number of days you want to retain VPC Flow Log events (set to 0 to disable). | 14 | One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | dedicated-public-vpc, dedicated-private-vpc | ||
| HttpsProxy (#) | Forward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com and https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy. | shared-vpc | ||||
| SecurityGroupIds (#) | Optional comma-delimited list of security group IDs to attach to the EC2 instances. | shared-vpc | ||||
| SSHIngressCidrIp (#) | Optional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32). | all | ||||
| SSHIngressSecurityGroupId (#) | Optional ingress rule allows SSH access from this security group. | shared-vpc | ||||
| VpcCidrBlock (#) | The IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16). | 10.0.0.0/16 | dedicated-public-vpc, dedicated-private-vpc | |||
| VpcSubnetCidrBits (#) | The number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24). | 12 | 6-14 | dedicated-public-vpc, dedicated-private-vpc | ||
| Parameter | Description | Default | Allowed values | Delivery Methods | ||
|---|---|---|---|---|---|---|
| Admin (#) | ||||||
| InfrastructureAlarmsEmail (#) | Optional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation). | all | ||||
| Auto Scaling Group (#) | ||||||
| AutoScalingMaxSize (#) | Maximum number of EC2 instances scanning files (in production, we recommend at least 2 for high availability). | 1 | Must be >= 1 | all | ||
| AutoScalingMinSize (#) | Minimum number of EC2 instances scanning files (in production, we recommend 2 for high availability). | 1 | Must be >= 0 | all | ||
| CapacityStrategy (#) | Take advantage of unused EC2 capacity in the AWS cloud by launching spot instances that are up to 90% cheaper than on-demand prices. Keep in mind that spot instances can be interrupted at any time and are replaced automatically! | SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | One of SpotWithOnDemandFallback, OnDemandOnly, SpotOnly, SpotOnlyWithoutAlternativeInstanceType, or SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | all | ||
| Cloudflare (#) | ||||||
| CloudflareAccessKeyId (#) | Cloudflare access key ID. | all | ||||
| CloudflareAccessKeySecret (#) | Cloudflare access key secret. | all | ||||
| CloudflareAccountId (#) | Cloudflare account ID. | all | ||||
| CloudflareApiToken (#) | Cloudflare API token. | all | ||||
| EC2 (#) | ||||||
| InstanceType (#) | Specifies the instance type of the EC2 instance (low performance for t3a.small and t3.small) | m5.large | One of t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge | all | ||
| KeyName (#) | Name of the EC2 key pair to log in via SSH (username: ec2-user). | Must be a valid EC2 key pair name | all | |||
| LogsRetentionInDays (#) | Specifies the number of days you want to retain log events. | 14 | One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | all | ||
| Subnets (#) | Subnets used for scanners. | Valid subnet IDs | shared-vpc | |||
| SystemsManagerAccess (#) | Enable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well. | false | One of true, false | all | ||
| VolumeIops (#) | The provisioned I/O operations per second (IOPS). | 3000 | 3000-16000 | all | ||
| VolumeSize (#) | The size of the EBS volume, in gibibytes (GiB). You can only scan files that are smaller than VolumeSize-16. Max S3 file size 5120 GiB. | 32 | 32-5136 | all | ||
| VolumeThroughput (#) | The provisioned throughput per second in MiB. | 125 | 125-1000 | all | ||
| VPC (#) | EC2 instances that scan the files are launched into this VPC. | Valid VPC ID | shared-vpc | |||
| Lambda (#) | ||||||
| AutoScalingGroupCalculatorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| CloudflareQueueFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| DashboardLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| Permissions (#) | ||||||
| ManagedPolicyArns (#) | Optional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances. | all | ||||
| Scan (#) | ||||||
| DeleteInfectedFiles (#) | Automatically delete infected files. | true | One of true, false | all | ||
| ReportEventBridge (#) | Report scan results to EventBridge. | false | One of true, false | all | ||
| ScanDelayInSeconds (#) | Delay the scanning of objects by 0-900 seconds. | 0 | 0-900 | all | ||
| SophosLiveProtectionCloudLookups (#) | Live Protection cloud lookups use Sophos' SXL technology and infrastructure to enable the antivirus engine to determine whether a suspicious file is malicious or clean by querying Sophos's extensive database of both malware and clean files. SXL improves detection rates and lowers false-positives. The file hash is shared with Sophos if you enable this feature! | false | One of true, false | all | ||
| VPC (#) | ||||||
| AssociatePublicIpAddress (#) | Specifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets). | true | One of true, false | shared-vpc | ||
| FlowLogRetentionInDays (#) | Specifies the number of days you want to retain VPC Flow Log events (set to 0 to disable). | 14 | One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | dedicated-public-vpc, dedicated-private-vpc | ||
| HttpsProxy (#) | Forward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com and https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy. | shared-vpc | ||||
| SecurityGroupIds (#) | Optional comma-delimited list of security group IDs to attach to the EC2 instances. | shared-vpc | ||||
| SSHIngressCidrIp (#) | Optional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32). | all | ||||
| SSHIngressSecurityGroupId (#) | Optional ingress rule allows SSH access from this security group. | shared-vpc | ||||
| VpcCidrBlock (#) | The IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16). | 10.0.0.0/16 | dedicated-public-vpc, dedicated-private-vpc | |||
| VpcSubnetCidrBits (#) | The number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24). | 12 | 6-14 | dedicated-public-vpc, dedicated-private-vpc | ||
| Parameter | Description | Default | Allowed values | Delivery Methods | ||
|---|---|---|---|---|---|---|
| Admin (#) | ||||||
| InfrastructureAlarmsEmail (#) | Optional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation). | all | ||||
| Auto Scaling Group (#) | ||||||
| AutoScalingMaxSize (#) | Maximum number of EC2 instances scanning files (in production, we recommend at least 2 for high availability). | 1 | Must be >= 1 | all | ||
| AutoScalingMinSize (#) | Minimum number of EC2 instances scanning files (in production, we recommend 2 for high availability). | 1 | Must be >= 0 | all | ||
| CapacityStrategy (#) | Take advantage of unused EC2 capacity in the AWS cloud by launching spot instances that are up to 90% cheaper than on-demand prices. Keep in mind that spot instances can be interrupted at any time and are replaced automatically! | SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | One of SpotWithOnDemandFallback, OnDemandOnly, SpotOnly, SpotOnlyWithoutAlternativeInstanceType, or SpotWithoutAlternativeInstanceTypeWithOnDemandFallback | all | ||
| Cloudflare (#) | ||||||
| CloudflareAccessKeyId (#) | Cloudflare access key ID. | all | ||||
| CloudflareAccessKeySecret (#) | Cloudflare access key secret. | all | ||||
| CloudflareAccountId (#) | Cloudflare account ID. | all | ||||
| CloudflareApiToken (#) | Cloudflare API token. | all | ||||
| EC2 (#) | ||||||
| InstanceType (#) | Specifies the instance type of the EC2 instance (low performance for t3a.small and t3.small) | m5.large | One of t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, m4.16xlarge | all | ||
| KeyName (#) | Name of the EC2 key pair to log in via SSH (username: ec2-user). | Must be a valid EC2 key pair name | all | |||
| LogsRetentionInDays (#) | Specifies the number of days you want to retain log events. | 14 | One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | all | ||
| Subnets (#) | Subnets used for scanners. | Valid subnet IDs | shared-vpc | |||
| SystemsManagerAccess (#) | Enable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well. | false | One of true, false | all | ||
| VPC (#) | EC2 instances that scan the files are launched into this VPC. | Valid VPC ID | shared-vpc | |||
| Lambda (#) | ||||||
| AutoScalingGroupCalculatorFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| CloudflareQueueFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| DashboardLambdaFunctionReservedConcurrentExecutions (#) | Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past). | 0 | all | |||
| Permissions (#) | ||||||
| ManagedPolicyArns (#) | Optional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances. | all | ||||
| Scan (#) | ||||||
| AdditionalDatabaseUrls (#) | Optional comma-delimited list of ClamAV database files available via http(s). | all | ||||
| DeleteInfectedFiles (#) | Automatically delete infected files. | true | One of true, false | all | ||
| EnableCache (#) | Enable cache checks for hash sums of scanned files (disable only during performance tests). | true | One of true, false | all | ||
| ReportEventBridge (#) | Report scan results to EventBridge. | false | One of true, false | all | ||
| ScanDelayInSeconds (#) | Delay the scanning of objects by 0-900 seconds. | 0 | 0-900 | all | ||
| VPC (#) | ||||||
| AssociatePublicIpAddress (#) | Specifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets). | true | One of true, false | shared-vpc | ||
| FlowLogRetentionInDays (#) | Specifies the number of days you want to retain VPC Flow Log events (set to 0 to disable). | 14 | One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653 | dedicated-public-vpc, dedicated-private-vpc | ||
| HttpsProxy (#) | Forward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com and https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy. | shared-vpc | ||||
| SecurityGroupIds (#) | Optional comma-delimited list of security group IDs to attach to the EC2 instances. | shared-vpc | ||||
| SSHIngressCidrIp (#) | Optional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32). | all | ||||
| SSHIngressSecurityGroupId (#) | Optional ingress rule allows SSH access from this security group. | shared-vpc | ||||
| VpcCidrBlock (#) | The IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16). | 10.0.0.0/16 | dedicated-public-vpc, dedicated-private-vpc | |||
| VpcSubnetCidrBits (#) | The number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24). | 12 | 6-14 | dedicated-public-vpc, dedicated-private-vpc | ||