On-access file scan

Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.

Setup

Install Add-On

  1. Set the Stack name to bucketav-scan-on-access.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.
  6. Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.

Instead of the bucket name:

aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .

Use the S3 Object Lambda Access Point Alias for on-access file scanning:

aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .

Recommendations

  • Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
  • Increase the InstanceType parameter of your bucketAV stack (e.g., m5.xlarge).
  • Increase the VolumeThroughput parameter of your bucketAV stack (e.g., 250).

Terraform

resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
  name         = "bucketav-scan-on-access"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
    BucketName = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder
  }
}

Update

Which version am I using?

  1. To update this add-on to version v2.0.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-scan-on-access, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture

The following AWS services are used:

  • DynamoDB Table to store scan results temporarily.
  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
  • S3 Object Lambda Access Point to implement the S3 Object Lambda.
  • S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
  • CloudWatch Alarms to monitor the used AWS services.

Limitations

  • Parallel byte-range fetches are supported using the Range header or query parameter. We do not support the partNumber query parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching.
  • S3 Object Lambda timeout is 60 seconds (not fixable).
    • The scan result timeout is 55 seconds.
  • S3 Object Lambda does not allow anonymous or public access (not fixable).
  • Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
  • Requires (unreleased) bucketAV powered by ClamAV® version >= 2.15.0 or bucketAV powered by Sophos® version >= 2.5.0 to pass through the errors NoSuchBucket, NoSuchKey, NoSuchVersion. When using an older version, not found objects will cause a timeout.
  • Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email