Real-time file scan

Malware can be introduced into an S3 bucket by uploading infected files. Real-time malware scanning helps to detect and prevent this kind of threat promptly.

There are two options to connect your S3 buckets with bucketAV for real-time file scanning:

S3 Event Notification

  1. In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region. Step 1
  2. Click on the Properties tab. Step 2
  3. Scroll down to the Event notifications box and click on Create event notification. Step 3
  4. Set the Event Name (e.g., bucketav).
  5. Select the All objects create events event type.
  6. Select the destination SQS Queue and choose the SQS Queue with ScanQueue in the name.

Don’t select the queue with DeadLetterQueue in the name!

  1. Click on Save changes. Step 4

From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.

EventBridge

Requires bucketAV version >= 2.9.0. To update to the latest version, follow the Update Guide.

  1. Enable Amazon EventBridge on the bucket. Make sure the bucket’s region matches the bucketAV region.
  2. Visit the Amazon EventBridge Console.
  3. Ensure that you are in the correct region.
  4. Navigate to Rules.
  5. Click on Create rule.
  6. Set a Name (e.g., bucketav-BUCKET_NAME; replace BUCKET_NAME with the name of your bucket).
  7. Click on Next. Step 1
  8. Scroll down to the Event pattern box.
  9. Click on Custom patterns (JSON editor).
  10. Enter the following JSON (replace BUCKET_NAME with the name of your bucket or remove the detail block entirely to match all buckets):
{
  "source": ["aws.s3"],
  "detail-type": ["Object Created"],
  "detail": {
    "bucket": {
      "name": ["BUCKET_NAME"]
    }
  }
}
  1. Click on Next. Step 2
  2. Set Select a target to SQS queue.
  3. Select the queue with ScanQueue in the name.

Don’t select the queue with DeadLetterQueue in the name!

  1. Click on Next. Step 3
  2. Again, click on Next.
  3. Click on Create rule.

From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.

CloudFormation snippets

Enable Amazon EventBridge on the bucket:

# [...]
Resources:
  # [...]
  Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      # [...]
      NotificationConfiguration:
        EventBridgeConfiguration:
          EventBridgeEnabled: true

Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue:

# [...]
Resources:
  # [...]
  S32BucketAV:
    Type: 'AWS::Events::Rule'
    Properties:
      Description: 'S3 EventBridge to bucketAV.'
      EventPattern:
        source:
        - 'aws.s3'
        'detail-type':
        - 'Object Created'
      State: ENABLED
      Targets:
      - Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
        Id: bucketav

Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue:

# [...]
Resources:
  # [...]
  S32BucketAV:
    Type: 'AWS::Events::Rule'
    Properties:
      Description: 'S3 EventBridge to bucketAV.'
      EventPattern:
        source:
        - 'aws.s3'
        'detail-type':
        - 'Object Created'
        detail:
          bucket:
            name:
            - 'name-of-bucket1'
            - 'name-of-bucket2'
            - 'name-of-bucket3'
      State: ENABLED
      Targets:
      - Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
        Id: bucketav

Terraform snippets

Enable Amazon EventBridge on the bucket:

resource "aws_s3_bucket" "bucket" {
  # [...]
}

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket      = aws_s3_bucket.bucket.id
  eventbridge = true
}

Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed with Terraform as well:

resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
  description   = "S3 EventBridge to bucketAV."
  event_pattern = <<JSON
{
  "source": [ 
    "aws.s3"
  ],
  "detail-type": [
    "Object Created"
  ]
}
JSON
}

resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
  rule      = aws_cloudwatch_event_rule.s3_to_bucketav.name
  target_id = "bucketav"
  arn       = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by 
}

resource "aws_cloudformation_stack" "bucketav" {
  # from https://bucketav.com/help/faq/#terraform
}

Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed outside of Terraform:

resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
  description   = "S3 EventBridge to bucketAV."
  event_pattern = <<JSON
{
  "source": [ 
    "aws.s3"
  ],
  "detail-type": [
    "Object Created"
  ],
  "detail": {
    "bucket": {
      "name": ["name-of-bucket1", "name-of-bucket2", "name-of-bucket3"]
    }
  }
}
JSON
}

resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
  rule      = aws_cloudwatch_event_rule.s3_to_bucketav.name
  target_id = "bucketav"
  arn       = data.aws_cloudformation_export.scan_queue_arn.value
}

data "aws_cloudformation_export" "scan_queue_arn" {
  name = "bucketav-ScanQueueArn" # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
}

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email