All files are scanned on EC2 instances (virtual machines) that run in your AWS account. All infrastructure runs in your AWS account. Only the virus database is fetched from our servers. We don’t have access to your data and infrastructure.
We configure bucketAV in a way to protect your data. The following describes what we do to protect your data on the network (in transit) and when data is persisted (at rest).
All network communication is TLS encrypted except for the Amazon Linux 2 yum repo, which might be accessed over HTTP.
- EBS volumes are encrypted with KMS using the AWS-managed key
- SQS Scan Queue and Dead Letter Queue are encrypted using an AWS-managed key (SSE-SQS).
- SNS Findings Topic and the topic for infrastructure alerts are not encrypted. The payloads are metadata only. No sensitive information is stored.
- CloudWatch Logs log groups are encrypted using an AWS-managed key.