Multi-account setup
If you have a multi-account setup, you might want to run the bucketAV solution in a single AWS account (account a) while you can scan buckets created in accounts b and c.
we recommend running bucketAV in the same account as your S3 buckets to minimize the configuration overhead and keep the isolation boundaries in effect.
Prepare AWS account a
Whitelist accounts b and c by modifying the AWSAccountRestriction configuration parameter in your bucketAV stack in account a.
Prepare AWS accounts b and c
Add the following bucket policy statements to each S3 bucket in accounts b and c to allow bucketAV from account a to access the buckets in b and c.
- Replace
ROLE_ARN
with the ScanRoleArn output of the CloudFormationbucketav
stack from account a. - Replace
BUCKET_NAME
with the name of the S3 bucket.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "bucketAVRequired1",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}, {
"Sid": "bucketAVRequired2",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}, {
"Sid": "bucketAVOnlyIfYouDeleteInfectedFiles",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": "s3:DeleteObject*",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}, {
"Sid": "bucketAVOnlyIfYouTagFilesWithScanResult",
"Effect": "Allow",
"Principal": {
"AWS": "ROLE_ARN"
},
"Action": [
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}]
}
If you use SSE-KMS to encrypt your buckets, you must ensure that the KMS Key Policy allows access from the ScanRoleArn. If you use AWS-managed KMS CMKs, you can not edit the key policy. Therefore, only customer-managed CMKs are supported.
One specialty needs to be considered when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation bucketav
stack from account a.