Guides

On-access file scan

This feature is only available for bucketAV for Amazon S3!

Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.

Setup

Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.15.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.5.0.
To update to the latest version, follow the Update Guide.

The ReportCleanFiles configuration parameter must be set to true.

Install Add-On (requires a running bucketAV installation)

  1. Set the Stack name to bucketav-scan-on-access.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.
  6. Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.

Instead of the bucket name:

aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .

Use the S3 Object Lambda Access Point Alias for on-access file scanning:

aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .
Not available. Please contact us if you have a use case for it!

Multi-account setup

Multi-account support requires version >= 2.3.0 of this Add-On. To update to the latest version, follow the update instructions.

If the bucket is created in a different AWS account, you can still use on-access file scanning.

  1. In AWS account a (the AWS account where bucketAV is running), follow the setup instructions from above.
    1. Set the BucketAccountId parameter to AWS account b (the AWS account where the bucket is created).
  2. In AWS account b, add a bucket policy to the bucket (replace YOUR_BUCKET_NAME with the name of your bucket and YOUR_ACCOUNT_A_ID with the AWS account ID of AWS account a):
{
  "Version": "2012-10-17",
  "Statement": [{
     "Effect": "Allow",
     "Principal": {
         "AWS": "*"
     },
     "Action": [
         "s3:GetObject",
         "s3:ListBucket"
     ],
     "Resource": [
         "arn:aws:s3:::YOUR_BUCKET_NAME",
         "arn:aws:s3:::YOUR_BUCKET_NAME/*"
     ],
     "Condition": {
         "StringEquals": {
             "s3:DataAccessPointAccount": "YOUR_ACCOUNT_A_ID"
         }
     }
  }]
}

Recommendations

  • Use bucketAV powered by Sophos®.
  • Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
  • Increase the InstanceType parameter of your bucketAV stack (e.g., m5.xlarge).
  • Increase the VolumeThroughput parameter of your bucketAV stack (e.g., 250).

CloudFormation snippet

# [...]
Resources:
  # [...]
  ScanOnAccess:
    Type: 'AWS::CloudFormation::Stack'
    Properties:
      Parameters:
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
        BucketName: 'YOUR_BUCKET_NAME' # TODO replace bucket name placeholder
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.4.0/bucketav-add-on-scan-on-access.yaml'
Not available. Please contact us if you have a use case for it!

Terraform snippet

resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
  name         = "bucketav-scan-on-access"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.4.0/bucketav-add-on-scan-on-access.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
    BucketName        = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder
  }
}
Not available. Please contact us if you have a use case for it!

Update

Which version am I using?

  1. To update this Add-On to version v2.4.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-scan-on-access, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.4.0/bucketav-add-on-scan-on-access.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Not available. Please contact us if you have a use case for it!

Architecture

The following AWS services are used:

  • DynamoDB Table to store scan results temporarily.
  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
  • S3 Object Lambda Access Point to implement the S3 Object Lambda.
  • S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
  • CloudWatch Alarms to monitor the used AWS services.
  • CloudWatch Logs to store logs.

Limitations

  • Parallel byte-range fetches are supported using the Range header or query parameter. We do not support the partNumber query parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching.
  • S3 Object Lambda timeout is 60 seconds (not fixable).
    • The scan result timeout is 55 seconds.
  • S3 Object Lambda does not allow anonymous or public access (not fixable).
  • Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
  • Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.

Release Notes

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.

v2.4.0

Changes:

  • Reserved Concurrent Execution for Lambda functions

Release date:2024-11-19

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.4.0/bucketav-add-on-scan-on-access.yaml

v2.3.0

Changes:

  • Multi-account support
  • Bug fixes

Release date:2024-09-25

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml

v2.2.1

Changes:

  • Bug fixes

Release date:2024-07-09

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.1/bucketav-add-on-scan-on-access.yaml

v2.2.0

Changes:

  • Update Lambda runtime to Node.js 20

Release date:2024-02-14

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml

v2.1.0

Changes:

  • Add Service Discovery

Release date:2023-12-07

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.1.0/bucketav-add-on-scan-on-access.yaml

v2.0.1

Changes:

  • Bug fixes

Release date:2023-10-16

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.1/bucketav-add-on-scan-on-access.yaml

v2.0.0

Changes:

  • Initial release

Release date:2023-07-31

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml

Not available. Please contact us if you have a use case for it!

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email