Real-time file scan
Malware can be introduced into an S3 bucket by uploading infected files. Real-time malware scanning helps to detect and prevent this kind of threat promptly.
There are two options to connect your S3 buckets with bucketAV for real-time file scanning:
S3 Event Notification
- In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region.
- Click on the Properties tab.
- Scroll down to the Event notifications box and click on Create event notification.
- Set the Event Name (e.g.,
bucketav
). - Select the All objects create events event type.
- Select the destination SQS Queue and choose the SQS Queue with
ScanQueue
in the name.
Don’t select the queue with
DeadLetterQueue
in the name!
- Click on Save changes.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
EventBridge
Requires bucketAV version >= 2.9.0. To update to the latest version, follow the Update Guide.
- Enable Amazon EventBridge on the bucket. Make sure the bucket’s region matches the bucketAV region.
- Visit the Amazon EventBridge Console.
- Ensure that you are in the correct region.
- Navigate to Rules.
- Click on Create rule.
- Set a Name (e.g.,
bucketav-BUCKET_NAME
; replaceBUCKET_NAME
with the name of your bucket). - Click on Next.
- Scroll down to the Event pattern box.
- Click on Custom patterns (JSON editor).
- Enter the following JSON (replace
BUCKET_NAME
with the name of your bucket or remove the detail block entirely to match all buckets):
{
"source": ["aws.s3"],
"detail-type": ["Object Created"],
"detail": {
"bucket": {
"name": ["BUCKET_NAME"]
}
}
}
- Click on Next.
- Set Select a target to
SQS queue
. - Select the queue with
ScanQueue
in the name.
Don’t select the queue with
DeadLetterQueue
in the name!
- Click on Next.
- Again, click on Next.
- Click on Create rule.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
CloudFormation snippets
Enable Amazon EventBridge on the bucket:
# [...]
Resources:
# [...]
Bucket:
Type: 'AWS::S3::Bucket'
Properties:
# [...]
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: true
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
detail:
bucket:
name:
- 'name-of-bucket1'
- 'name-of-bucket2'
- 'name-of-bucket3'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Terraform snippets
Enable Amazon EventBridge on the bucket:
resource "aws_s3_bucket" "bucket" {
# [...]
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
eventbridge = true
}
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed with Terraform as well:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
]
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by
}
resource "aws_cloudformation_stack" "bucketav" {
# from https://bucketav.com/help/faq/#terraform
}
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed outside of Terraform:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"bucket": {
"name": ["name-of-bucket1", "name-of-bucket2", "name-of-bucket3"]
}
}
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = data.aws_cloudformation_export.scan_queue_arn.value
}
data "aws_cloudformation_export" "scan_queue_arn" {
name = "bucketav-ScanQueueArn" # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
}