Multi-account setup

If you have a multi-account setup, you might want to run the bucketAV solution in a single AWS account (account a) while you can scan buckets created in accounts b and c.

We recommend running bucketAV in the same account as your S3 buckets to minimize the configuration overhead and keep the isolation boundaries in effect.

Prepare AWS account a (#)

Whitelist accounts b and c by modifying the AWSAccountRestriction configuration parameter or AWSOrganizationRestriction configuration parameter in your bucketAV stack in account a.

Prepare AWS accounts b and c (#)

Add the following bucket policy statements to each S3 bucket in accounts b and c to allow bucketAV from account a to access the buckets in b and c.

  • Replace ROLE_ARN with the ScanRoleArn output of the CloudFormation bucketav stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "bucketAVRequired1",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:ListBucket*",
    "Resource": "arn:aws:s3:::BUCKET_NAME"
  }, {
    "Sid": "bucketAVRequired2",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:GetObject*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }, {
    "Sid": "bucketAVOnlyIfYouDeleteInfectedFiles",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:DeleteObject*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }, {
    "Sid": "bucketAVOnlyIfYouTagFilesWithScanResult",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": [
      "s3:GetObjectTagging",
      "s3:GetObjectVersionTagging",
      "s3:PutObjectTagging",
      "s3:PutObjectVersionTagging"
    ],
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }]
}

If you use SSE-KMS to encrypt your buckets, you must ensure that the KMS Key Policy allows access from the ScanRoleArn. If you use AWS-managed KMS CMKs, you can not edit the key policy. Therefore, only customer-managed CMKs are supported.

One specialty needs to be considered when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation bucketav stack from account a.

Access Findings Topic from accounts b and c (#)

The Findings Topic is created in account a. To get scan results in accounts b and c:

  1. In account a, get the SNS Findings Topic ARN.
  2. In account b, create a SQS standard queue with a queue policy like this (replace ACCOUNT_B_ID, ACCOUNT_B_SQS_QUEUE_ARN, ACCOUNT_A_SNS_FINDINGS_TOPIC_ARN):
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "ACCOUNT_B_ID"
    },
    "Action": "sqs:*",
    "Resource": "ACCOUNT_B_SQS_QUEUE_ARN"
  }, {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "sqs:SendMessage",
    "Resource": "ACCOUNT_B_SQS_QUEUE_ARN",
    "Condition": {
      "ArnEquals": {
        "aws:SourceArn": "ACCOUNT_A_SNS_FINDINGS_TOPIC_ARN"
      }
    }
  }]
}
  1. Copy the SQS queue ARN.
  2. In account a, open the SNS Findings Topic and create a subscription:
    1. Set Protocol to SQS.
    2. Set to Endpoint to ACCOUNT_B_SQS_QUEUE_ARN.
  3. In account b, open the newly created SQS queue, click the Send and receive messages button, and Poll for messages. There is one SubscriptionConfirmation message waiting for you in the queue. Extract the SubscribeURL attribute and open the URL in your browser. You see an XML document with a root element named ConfirmSubscriptionResponse.
  4. In account a, double-check the SNS subscription status to match Confirmed.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email