On-access file scan

Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.

Setup (#)

Requires bucketAV powered by ClamAV® version >= 2.15.0 or bucketAV powered by Sophos® version >= 2.5.0. To update to the latest version, follow the Update Guide.

The ReportCleanFiles configuration parameter must be set to true.

Install Add-On (requires a running bucketAV installation)

  1. Set the Stack name to bucketav-scan-on-access.
  2. Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is bucketav).
  3. Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
  4. Select I acknowledge that AWS CloudFormation might create IAM resources.
  5. Click on the Create stack button to save.
  6. Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.

Instead of the bucket name:

aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .

Use the S3 Object Lambda Access Point Alias for on-access file scanning:

aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .

Recommendations (#)

  • Use bucketAV powered by Sophos®.
  • Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
  • Increase the InstanceType parameter of your bucketAV stack (e.g., m5.xlarge).
  • Increase the VolumeThroughput parameter of your bucketAV stack (e.g., 250).

CloudFormation snippet (#)

# [...]
  # [...]
    Type: 'AWS::CloudFormation::Stack'
        BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
        BucketName: 'YOUR_BUCKET_NAME' # TODO replace bucket name placeholder
      TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml'

Terraform snippet (#)

resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
  name         = "bucketav-scan-on-access"
  template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml"
  capabilities = ["CAPABILITY_IAM"]
  parameters = {
    BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
    BucketName        = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder

Update (#)

Which version am I using?

  1. To update this Add-On to version v2.2.0, go to the AWS CloudFormation Management Console.
  2. Double-check the region at the top right.
  3. Search for bucketav-scan-on-access, otherwise search for the name you specified.
  4. Select the stack and click on Update.
  5. Select Replace current template and set the Amazon S3 URL to https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml Copy
  6. Click on Next.
  7. Scroll to the bottom of the page and click on Next.
  8. Scroll to the bottom of the page and click on Next.
  9. Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
  10. While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
  11. … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.

Architecture (#)

The following AWS services are used:

  • DynamoDB Table to store scan results temporarily.
  • SNS Subscription to connect to the Findings Topic.
  • Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
  • S3 Object Lambda Access Point to implement the S3 Object Lambda.
  • S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
  • CloudWatch Alarms to monitor the used AWS services.
  • CloudWatch Logs to store logs.

Limitations (#)

  • Multi-account setup is not possible at the moment. Only S3 buckets created in the same AWS account as bucketAV can be scanned. Please contact us if you would like to see multi-account support!
  • Parallel byte-range fetches are supported using the Range header or query parameter. We do not support the partNumber query parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching.
  • S3 Object Lambda timeout is 60 seconds (not fixable).
    • The scan result timeout is 55 seconds.
  • S3 Object Lambda does not allow anonymous or public access (not fixable).
  • Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
  • Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.

Release Notes (#)

Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.



  • Update Lambda runtime to Node.js 20

Release date:2024-02-14

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml



  • Add Service Discovery

Release date:2023-12-07

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.1.0/bucketav-add-on-scan-on-access.yaml



  • Bug fixes

Release date:2023-10-16

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.1/bucketav-add-on-scan-on-access.yaml



  • Initial release

Release date:2023-07-31

Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email