Real-time file scan
Malware can be introduced into an Amazon S3 bucket or Cloudflare R2 bucket by uploading infected files. Real-time malware scanning helps to detect and prevent this kind of threat promptly.
There are three options to connect your Amazon S3 and Cloudflare R2 buckets with bucketAV for real-time file scanning:
Quick Setup (recommended) (#)
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.15.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.5.0.
To update to the latest version, follow the Update Guide.
- Visit the AWS CloudWatch Management Console.
- Navigate to Dashboards.
- Select the dashboard starting with the name
bucketav
followed by the name of the AWS region—for example,bucketav-eu-west-1
. - Find the Buckets tile. Enable real-time file scanning for each bucket you want by clicking the Enable button.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
- Visit the AWS CloudWatch Management Console.
- Navigate to Dashboards.
- Select the dashboard starting with the name
bucketav
followed by the name of the AWS region—for example,bucketav-eu-west-1
. - Find the Buckets tile. Enable real-time file scanning for each bucket you want by clicking the Enable button.
From now on, each file uploaded to your R2 bucket will be scanned for trojans, viruses, and malware.
S3 Event Notification (#)
- In the AWS S3 Management Console, click on the bucket you want to connect to bucketAV. Make sure the bucket’s region matches the bucketAV region.
- Click on the Properties tab.
- Scroll down to the Event notifications box and click on Create event notification.
- Set the Event Name (e.g.,
bucketav
). - Select the All objects create events event type.
- Select the destination SQS Queue and choose the SQS Queue with
ScanQueue
in the name.
Don’t select the queue with
DeadLetterQueue
in the name!
- Click on Save changes.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
CloudFormation snippet (#)
# [...]
Resources:
# [...]
YourExistingBucket:
Type: 'AWS::S3::Bucket'
Properties:
# [...]
NotificationConfiguration:
# [...]
QueueConfigurations:
- Event: 's3:ObjectCreated:*'
Queue: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Terraform snippet (#)
resource "aws_s3_bucket" "your_existing_bucket" {
# [...]
}
# you can only have one aws_s3_bucket_notification per bucket!
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.your_existing_bucket.id
# [...]
queue {
events = ["s3:ObjectCreated:*"]
queue_arn = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by
}
}
Bucket in different AWS account (#)
If you have a multi-account setup, you might want to scan buckets created in additional AWS accounts.
EventBridge (#)
Requires bucketAV for Amazon S3 powered by ClamAV® version >= 2.9.0, or bucketAV for Amazon S3 powered by Sophos® version >= 2.0.0.
To update to the latest version, follow the Update Guide.
Enabling EventBridge events for S3 incurs costs. Usually, that’s $1.00/million events (see EventBridge pricing).
- Enable Amazon EventBridge on the bucket. Make sure the bucket’s region matches the bucketAV region.
- Visit the Amazon EventBridge Console.
- Ensure that you are in the correct region.
- Navigate to Rules.
- Click on Create rule.
- Set a Name (e.g.,
bucketav-BUCKET_NAME
; replaceBUCKET_NAME
with the name of your bucket). - Click on Next.
- Scroll down to the Event pattern box.
- Click on Custom patterns (JSON editor).
- Enter the following JSON (replace
BUCKET_NAME
with the name of your bucket or remove the detail block entirely to match all buckets):
{
"source": ["aws.s3"],
"detail-type": ["Object Created"],
"detail": {
"bucket": {
"name": ["BUCKET_NAME"]
}
}
}
- Click on Next.
- Set Select a target to
SQS queue
. - Select the queue with
ScanQueue
in the name.
Don’t select the queue with
DeadLetterQueue
in the name!
- Click on Next.
- Again, click on Next.
- Click on Create rule.
From now on, each file uploaded to your S3 bucket will be scanned for trojans, viruses, and malware.
CloudFormation snippets (#)
Enable Amazon EventBridge on the bucket:
# [...]
Resources:
# [...]
YourExistingBucket:
Type: 'AWS::S3::Bucket'
Properties:
# [...]
NotificationConfiguration:
EventBridgeConfiguration:
EventBridgeEnabled: true
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue:
# [...]
Resources:
# [...]
S32BucketAV:
Type: 'AWS::Events::Rule'
Properties:
Description: 'S3 EventBridge to bucketAV.'
EventPattern:
source:
- 'aws.s3'
'detail-type':
- 'Object Created'
detail:
bucket:
name:
- 'name-of-bucket1'
- 'name-of-bucket2'
- 'name-of-bucket3'
State: ENABLED
Targets:
- Arn: !ImportValue 'bucketav-ScanQueueArn' # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
Id: bucketav
Terraform snippets (#)
Enable Amazon EventBridge on the bucket:
resource "aws_s3_bucket" "your_existing_bucket" {
# [...]
}
# you can only have one aws_s3_bucket_notification per bucket!
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.your_existing_bucket.id
eventbridge = true
# your existing configuration
# lambda_function {
# [...]
# }
# queue {
# [...]
# }
# topic {
# [...]
# }
}
Create the EventBridge rule to forward events for all buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed with Terraform as well:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
]
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = aws_cloudformation_stack.bucketav.outputs.ScanQueueArn # You can also hard-code the value if the CloudFormation stack is not managed by
}
resource "aws_cloudformation_stack" "bucketav" {
# from https://bucketav.com/help/faq/#terraform
}
Create the EventBridge rule to forward events for specific buckets to bucketAV’s Scan Queue when the CloudFormation stack is deployed outside of Terraform:
resource "aws_cloudwatch_event_rule" "s3_to_bucketav" {
description = "S3 EventBridge to bucketAV."
event_pattern = <<JSON
{
"source": [
"aws.s3"
],
"detail-type": [
"Object Created"
],
"detail": {
"bucket": {
"name": ["name-of-bucket1", "name-of-bucket2", "name-of-bucket3"]
}
}
}
JSON
}
resource "aws_cloudwatch_event_target" "s3_to_bucketav" {
rule = aws_cloudwatch_event_rule.s3_to_bucketav.name
target_id = "bucketav"
arn = data.aws_cloudformation_export.scan_queue_arn.value
}
data "aws_cloudformation_export" "scan_queue_arn" {
name = "bucketav-ScanQueueArn" # If your bucketAV CloudFormation stack name is not bucketav (the default), replace bucketav with your stack name.
}
Bucket in different AWS account (#)
If you have a multi-account setup, you might want to scan buckets created in additional AWS accounts.