Real-time file scan

Malware can be introduced into an S3 bucket by uploading infected files. Real-time malware scanning helps to detect and prevent this kind of threat promptly.

There are three options to connect your S3 buckets with bucketAV for real-time file scanning:

Quick Setup (recommended) (#)

Requires bucketAV powered by ClamAV® version >= 2.15.0 or bucketAV powered by Sophos® version >= 2.5.0. To update to the latest version, follow the Update Guide.

For multi-account setups, please create the S3 Event Notification manually.

  1. Visit the AWS CloudWatch Management Console.
  2. Navigate to Dashboards.
  3. Select the dashboard starting with the name bucketav followed by the name of the AWS region—for example, bucketav-eu-west-1. Step 1
  4. Find the Bucket tile. Enable real-time file scanning for each bucket you want by clicking the Enable button. Step 2

From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.

S3 Event Notification (#)

  1. In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region. Step 1
  2. Click on the Properties tab. Step 2
  3. Scroll down to the Event notifications box and click on Create event notification. Step 3
  4. Set the Event Name (e.g., bucketav).
  5. Select the All objects create events event type.
  6. Select the destination SQS Queue and choose the SQS Queue with ScanQueue in the name.

Don’t select the queue with DeadLetterQueue in the name!

  1. Click on Save changes. Step 4

From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.

CloudFormation snippet (#)

# [...]
Resources:
  # [...]
  YourExistingBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      # [...]
      NotificationConfiguration:
        # [...]
        QueueConfigurations:
        - Event: 's3:ObjectCreated:*'
          Queue: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.

Terraform snippet (#)

resource "aws_s3_bucket" "your_existing_bucket" {
  # [...]
}

# you can only have one aws_s3_bucket_notification per bucket!
resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket      = aws_s3_bucket.your_existing_bucket.id
  # [...]
  queue {
    events    = ["s3:ObjectCreated:*"]
    queue_arn = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by 
  }
}

Bucket in different AWS account (#)

If you have a multi-account setup, you might run the bucketAV in AWS account a while your buckets are located in AWS accounts b and c.

EventBridge (#)

Requires bucketAV powered by ClamAV® version >= 2.9.0 or bucketAV powered by Sophos® version >= 2.0.0. To update to the latest version, follow the Update Guide.

Enabling EventBridge events for S3 incurs costs. Usually, that’s $1.00/million events (see EventBridge pricing).

  1. Enable Amazon EventBridge on the bucket. Make sure the bucket’s region matches the bucketAV region.
  2. Visit the Amazon EventBridge Console.
  3. Ensure that you are in the correct region.
  4. Navigate to Rules.
  5. Click on Create rule.
  6. Set a Name (e.g., bucketav-BUCKET_NAME; replace BUCKET_NAME with the name of your bucket).
  7. Click on Next. Step 1
  8. Scroll down to the Event pattern box.
  9. Click on Custom patterns (JSON editor).
  10. Enter the following JSON (replace BUCKET_NAME with the name of your bucket or remove the detail block entirely to match all buckets):
{
  "source": ["aws.s3"],
  "detail-type": ["Object Created"],
  "detail": {
    "bucket": {
      "name": ["BUCKET_NAME"]
    }
  }
}
  1. Click on Next. Step 2
  2. Set Select a target to SQS queue.
  3. Select the queue with ScanQueue in the name.

Don’t select the queue with DeadLetterQueue in the name!

  1. Click on Next. Step 3
  2. Again, click on Next.
  3. Click on Create rule.

From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.

CloudFormation snippets (#)

Enable Amazon EventBridge on the bucket:

# [...]
Resources:
  # [...]
  YourExistingBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      # [...]
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true

Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue:

# [...]
Resources:
  # [...]
  S32BucketAV:
    Type: 'AWS::Events::Rule'
    Properties:
      Description: 'S3 EventBridge to bucketAV.'
      EventPattern:
        source:
        - 'aws.s3'
        'detail-type':
        - 'Object Created'
      State: ENABLED
      Targets:
      - Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
        Id: bucketav

Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue:

# [...]
Resources:
  # [...]
  S32BucketAV:
    Type: 'AWS::Events::Rule'
    Properties:
      Description: 'S3 EventBridge to bucketAV.'
      EventPattern:
        source:
        - 'aws.s3'
        'detail-type':
        - 'Object Created'
        detail:
          bucket:
            name:
            - 'name-of-bucket1'
            - 'name-of-bucket2'
            - 'name-of-bucket3'
      State: ENABLED
      Targets:
      - Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
        Id: bucketav

Terraform snippets (#)

Enable Amazon EventBridge on the bucket:

resource "aws_s3_bucket" "your_existing_bucket" {
  # [...]
}

# you can only have one aws_s3_bucket_notification per bucket!
resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket      = aws_s3_bucket.your_existing_bucket.id
  eventbridge = true

  # your existing configuration
  # lambda_function {
  # [...]
  # }
  # queue {
  # [...]
  # }
  # topic {
  # [...]
  # }
}

Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed with Terraform as well:

resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
  description   = "S3 EventBridge to bucketAV."
  event_pattern = <<JSON
{
  "source": [ 
    "aws.s3"
  ],
  "detail-type": [
    "Object Created"
  ]
}
JSON
}

resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
  rule      = aws_cloudwatch_event_rule.s3_to_bucketav.name
  target_id = "bucketav"
  arn       = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by 
}

resource "aws_cloudformation_stack" "bucketav" {
  # from https://bucketav.com/help/faq/#terraform
}

Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed outside of Terraform:

resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
  description   = "S3 EventBridge to bucketAV."
  event_pattern = <<JSON
{
  "source": [ 
    "aws.s3"
  ],
  "detail-type": [
    "Object Created"
  ],
  "detail": {
    "bucket": {
      "name": ["name-of-bucket1", "name-of-bucket2", "name-of-bucket3"]
    }
  }
}
JSON
}

resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
  rule      = aws_cloudwatch_event_rule.s3_to_bucketav.name
  target_id = "bucketav"
  arn       = data.aws_cloudformation_export.scan_queue_arn.value
}

data "aws_cloudformation_export" "scan_queue_arn" {
  name = "bucketav-ScanQueueArn" # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
}

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email