Real-time file scan
Malware can be introduced into an S3 bucket by uploading infected files. Real-time malware scanning helps to detect and prevent this kind of threat promptly.
There are three options to connect your S3 buckets with bucketAV for real-time file scanning:
Quick Configuration (recommended)
Requires bucketAV powered by ClamAV® version >= 2.15.0 or bucketAV powered by Sophos® version >= 2.5.0. To update to the latest version, follow the Update Guide.
- Visit the AWS CloudWatch Management Console.
- Navigate to Dashboards.
- Select the dashboard starting with the name
bucketavfollowed by the name of the AWS region—for example,bucketav-eu-west-1.
- Find the Bucket tile. Enable real-time file scanning for each bucket you want by clicking the Enable button.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
S3 Event Notification
- In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region.
- Click on the Properties tab.
- Scroll down to the Event notifications box and click on Create event notification.
- Set the Event Name (e.g.,
bucketav). - Select the All objects create events event type.
- Select the destination SQS Queue and choose the SQS Queue with
ScanQueuein the name.
Don’t select the queue with
DeadLetterQueuein the name!
- Click on Save changes.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
EventBridge
Requires bucketAV powered by ClamAV® version >= 2.9.0 or bucketAV powered by Sophos® version >= 2.0.0. To update to the latest version, follow the Update Guide.
- Enable Amazon EventBridge on the bucket. Make sure the bucket’s region matches the bucketAV region.
- Visit the Amazon EventBridge Console.
- Ensure that you are in the correct region.
- Navigate to Rules.
- Click on Create rule.
- Set a Name (e.g.,
bucketav-BUCKET_NAME; replaceBUCKET_NAMEwith the name of your bucket). - Click on Next.
- Scroll down to the Event pattern box.
- Click on Custom patterns (JSON editor).
- Enter the following JSON (replace
BUCKET_NAMEwith the name of your bucket or remove the detail block entirely to match all buckets):
{
"source": ["aws.s3"],
"detail-type": ["Object Created"],
"detail": {
"bucket": {
"name": ["BUCKET_NAME"]
}
}
}
- Click on Next.
- Set Select a target to
SQS queue. - Select the queue with
ScanQueuein the name.
Don’t select the queue with
DeadLetterQueuein the name!
- Click on Next.
- Again, click on Next.
- Click on Create rule.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
CloudFormation snippets
Enable Amazon EventBridge on the bucket:
# [...]
Resources:
# [...]
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
# [...]
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: true
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
detail:
bucket:
name:
- 'name-of-bucket1'
- 'name-of-bucket2'
- 'name-of-bucket3'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Terraform snippets
Enable Amazon EventBridge on the bucket:
resource "aws_s3_bucket" "bucket" {
# [...]
}
# you can only have one aws_s3_bucket_notification per bucket!
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
eventbridge = true
# your existing configuration
# lambda_function {
# [...]
# }
# queue {
# [...]
# }
# topic {
# [...]
# }
}
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed with Terraform as well:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
]
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by
}
resource "aws_cloudformation_stack" "bucketav" {
# from https://bucketav.com/help/faq/#terraform
}
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed outside of Terraform:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"bucket": {
"name": ["name-of-bucket1", "name-of-bucket2", "name-of-bucket3"]
}
}
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = data.aws_cloudformation_export.scan_queue_arn.value
}
data "aws_cloudformation_export" "scan_queue_arn" {
name = "bucketav-ScanQueueArn" # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
}