On-access file scan
This feature is only available for bucketAV for Amazon S3!
Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.
Setup
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.15.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.5.0.
To update to the latest version, follow the Update Guide.
The ReportCleanFiles configuration parameter must be set to
true.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-scan-on-access. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav). - Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.
Instead of the bucket name:
aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .
Use the S3 Object Lambda Access Point Alias for on-access file scanning:
aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .
Run Lambda in a VPC
By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.
The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):
https://s3.REGION.amazonaws.com
https://sqs.REGION.amazonaws.com
https://dynamodb.REGION.amazonaws.com
Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.
Multi-account setup
Multi-account support requires version >= 2.3.0 of this Add-On. To update to the latest version, follow the update instructions.
If the bucket is created in a different AWS account, you can still use on-access file scanning.
- In AWS account a (the AWS account where bucketAV is running), follow the setup instructions from above.
- Set the BucketAccountId parameter to AWS account b (the AWS account where the bucket is created).
- In AWS account b, add a bucket policy to the bucket (replace
YOUR_BUCKET_NAMEwith the name of your bucket andYOUR_ACCOUNT_A_IDwith the AWS account ID of AWS account a):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "YOUR_ACCOUNT_A_ID"
}
}
}]
}
Recommendations
- Use bucketAV powered by Sophos®.
- Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
- Increase the InstanceType parameter of your bucketAV stack (e.g.,
m5.xlarge). - Increase the VolumeThroughput parameter of your bucketAV stack (e.g.,
250).
CloudFormation snippet
# [...]
Resources:
# [...]
ScanOnAccess:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
BucketName: 'YOUR_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.5.0/bucketav-add-on-scan-on-access.yaml'
Terraform snippet
resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
name = "bucketav-scan-on-access"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.5.0/bucketav-add-on-scan-on-access.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
BucketName = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
Update
- To update this Add-On to version v2.5.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-scan-on-access, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.5.0/bucketav-add-on-scan-on-access.yamlCopy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- DynamoDB Table to store scan results temporarily.
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
- S3 Object Lambda Access Point to implement the S3 Object Lambda.
- S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
Limitations
- Parallel byte-range fetches are supported using the
Rangeheader or query parameter. We do not support thepartNumberquery parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching. - S3 Object Lambda timeout is 60 seconds (not fixable).
- The scan result timeout is 55 seconds.
- S3 Object Lambda does not allow anonymous or public access (not fixable).
- Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
- Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.
Run Lambda in a VPC
By default, the add-on deploys Lambda functions with access to the Internet. In case you want to deploy the Lambda functions into a VPC, configure the LambdaVpc and LambdaSubnets parameters.
The add-on requires access to the following endpoints (replace REGION with the AWS region like eu-west-1):
https://s3.REGION.amazonaws.com
https://sqs.REGION.amazonaws.com
https://dynamodb.REGION.amazonaws.com
Ensure that the subnets configured in the LambdaSubnets parameter have access to these endpoints via a NAT Gateway or VPC Endpoints.
Release Notes
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.5.0
Changes:
- Update Lambda Node.js runtime to version 22
Release date:2025-02-28
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.5.0/bucketav-add-on-scan-on-access.yaml
v2.4.0
Changes:
- Reserved Concurrent Execution for Lambda functions
Release date:2024-11-19
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.4.0/bucketav-add-on-scan-on-access.yaml
v2.3.0
Changes:
- Multi-account support
- Bug fixes
Release date:2024-09-25
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml
v2.2.1
Changes:
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.1/bucketav-add-on-scan-on-access.yaml
v2.2.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml
v2.1.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.1.0/bucketav-add-on-scan-on-access.yaml
v2.0.1
Changes:
- Bug fixes
Release date:2023-10-16
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.1/bucketav-add-on-scan-on-access.yaml
v2.0.0
Changes:
- Initial release
Release date:2023-07-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml