On-access file scan
Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.
Setup
- Set the Stack name to
bucketav-scan-on-access
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.
Instead of the bucket name:
aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .
Use the S3 Object Lambda Access Point Alias for on-access file scanning:
aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .
Recommendations
- Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
- Increase the InstanceType parameter of your bucketAV stack (e.g.,
m5.xlarge
). - Increase the VolumeThroughput parameter of your bucketAV stack (e.g.,
250
).
Terraform
resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
name = "bucketav-scan-on-access"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
BucketName = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
Update
- To update this add-on to version v2.0.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-scan-on-access
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture
The following AWS services are used:
- DynamoDB Table to store scan results temporarily.
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
- S3 Object Lambda Access Point to implement the S3 Object Lambda.
- S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
- CloudWatch Alarms to monitor the used AWS services.
Limitations
- Parallel byte-range fetches are supported using the
Range
header or query parameter. We do not support thepartNumber
query parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching. - S3 Object Lambda timeout is 60 seconds (not fixable).
- The scan result timeout is 55 seconds.
- S3 Object Lambda does not allow anonymous or public access (not fixable).
- Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
- Requires (unreleased) bucketAV powered by ClamAV® version >= 2.15.0 or bucketAV powered by Sophos® version >= 2.5.0 to pass through the errors NoSuchBucket, NoSuchKey, NoSuchVersion. When using an older version, not found objects will cause a timeout.
- Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.