On-access file scan
This feature is only available for bucketAV for Amazon S3!
Scan files before downloading for maximum protection against the latest threats powered by S3 Object Lambda.
Setup (#)
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.15.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.5.0.
To update to the latest version, follow the Update Guide.
The ReportCleanFiles configuration parameter must be set to
true
.
Install Add-On (requires a running bucketAV installation)
- Set the Stack name to
bucketav-scan-on-access
. - Set the BucketAVStackName parameter to the stack name of bucketAV (if you followed the docs, the name is
bucketav
). - Set the BucketName parameter to the name of the S3 bucket that needs on-access file scanning.
- Select I acknowledge that AWS CloudFormation might create IAM resources.
- Click on the Create stack button to save.
- Fetch the value from the S3ObjectLambdaAccessPointAlias output and use it as the bucket name.
Instead of the bucket name:
aws s3 cp s3://YOUR_BUCKET_NAME/report.pdf .
Use the S3 Object Lambda Access Point Alias for on-access file scanning:
aws s3 cp s3://S3_OBJECT_LAMBDA_ACCESS_POINT_ALIAS/report.pdf .
Multi-account setup (#)
Multi-account support requires version >= 2.3.0 of this Add-On. To update to the latest version, follow the update instructions.
If the bucket is created in a different AWS account, you can still use on-access file scanning.
- In AWS account a (the AWS account where bucketAV is running), follow the setup instructions from above.
- Set the BucketAccountId parameter to AWS account b (the AWS account where the bucket is created).
- In AWS account b, add a bucket policy to the bucket (replace
YOUR_BUCKET_NAME
with the name of your bucket andYOUR_ACCOUNT_A_ID
with the AWS account ID of AWS account a):
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME",
"arn:aws:s3:::YOUR_BUCKET_NAME/*"
],
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "YOUR_ACCOUNT_A_ID"
}
}
}]
}
Recommendations (#)
- Use bucketAV powered by Sophos®.
- Use a separate bucketAV stack for scan-on-access workloads to avoid delays caused by real-time or scheduled scans.
- Increase the InstanceType parameter of your bucketAV stack (e.g.,
m5.xlarge
). - Increase the VolumeThroughput parameter of your bucketAV stack (e.g.,
250
).
CloudFormation snippet (#)
# [...]
Resources:
# [...]
ScanOnAccess:
Type: 'AWS::CloudFormation::Stack'
Properties:
Parameters:
BucketAVStackName: 'bucketav' # if you followed the docs, the name is bucketav
BucketName: 'YOUR_BUCKET_NAME' # TODO replace bucket name placeholder
TemplateURL: 'https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml'
Terraform snippet (#)
resource "aws_cloudformation_stack" "bucketav_add_on_scan_on_access" {
name = "bucketav-scan-on-access"
template_url = "https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml"
capabilities = ["CAPABILITY_IAM"]
parameters = {
BucketAVStackName = "bucketav" # if you followed the docs, the name is bucketav
BucketName = "YOUR_BUCKET_NAME" # TODO replace bucket name placeholder
}
}
Update (#)
- To update this Add-On to version v2.3.0, go to the AWS CloudFormation Management Console.
- Double-check the region at the top right.
- Search for
bucketav-scan-on-access
, otherwise search for the name you specified. - Select the stack and click on Update.
- Select Replace current template and set the Amazon S3 URL to
https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml
Copy - Click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page and click on Next.
- Scroll to the bottom of the page, enable I acknowledge that AWS CloudFormation might create IAM resources, and click on Update stack.
- While the update runs, the stack status is UPDATE_IN_PROGRES. Reload the table from time to time and …
- … wait until the CloudFormation stack status switches to UPDATE_COMPLETE.
Architecture (#)
The following AWS services are used:
- DynamoDB Table to store scan results temporarily.
- SNS Subscription to connect to the Findings Topic.
- Lambda Function to store the scan results in DynampDB and to implement the S3 Object Lambda.
- S3 Object Lambda Access Point to implement the S3 Object Lambda.
- S3 Access Point as the supporting access point for the S3 Object Lambda Access Point.
- CloudWatch Alarms to monitor the used AWS services.
- CloudWatch Logs to store logs.
Limitations (#)
- Parallel byte-range fetches are supported using the
Range
header or query parameter. We do not support thepartNumber
query parameter. We need to scan the whole file even if we return just a portion. We recommend turning on caching. - S3 Object Lambda timeout is 60 seconds (not fixable).
- The scan result timeout is 55 seconds.
- S3 Object Lambda does not allow anonymous or public access (not fixable).
- Object size restriction is around 10 GB (Lambda memory limitation because of missing stream support in AWS SDK v3).
- Please research S3 Object Lambda pricing and understand the performance impact of S3 Object Lambda.
Release Notes (#)
Subscribe to our Atom feed or newsletter to stay up-to-date! We also publish a machine-readable JSON file.
v2.3.0
Changes:
- Multi-account support
- Bug fixes
Release date:2024-09-25
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.3.0/bucketav-add-on-scan-on-access.yaml
v2.2.1
Changes:
- Bug fixes
Release date:2024-07-09
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.1/bucketav-add-on-scan-on-access.yaml
v2.2.0
Changes:
- Update Lambda runtime to Node.js 20
Release date:2024-02-14
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.2.0/bucketav-add-on-scan-on-access.yaml
v2.1.0
Changes:
- Add Service Discovery
Release date:2023-12-07
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.1.0/bucketav-add-on-scan-on-access.yaml
v2.0.1
Changes:
- Bug fixes
Release date:2023-10-16
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.1/bucketav-add-on-scan-on-access.yaml
v2.0.0
Changes:
- Initial release
Release date:2023-07-31
Template: https://bucketav-add-ons.s3.eu-west-1.amazonaws.com/scan-on-access/v2.0.0/bucketav-add-on-scan-on-access.yaml