Multi-account setup

If you have a multi-account setup, you might want to run the bucketAV solution in a single AWS account (account a) while you can scan buckets created in accounts b and c.

we recommend running bucketAV in the same account as your S3 buckets to minimize the configuration overhead and keep the isolation boundaries in effect.

Prepare AWS account a

Whitelist accounts b and c by modifying the AWSAccountRestriction configuration parameter in your bucketAV stack in account a.

Prepare AWS accounts b and c

Add the following bucket policy statements to each S3 bucket in accounts b and c to allow bucketAV from account a to access the buckets in b and c.

  • Replace ROLE_ARN with the ScanRoleArn output of the CloudFormation bucketav stack from account a.
  • Replace BUCKET_NAME with the name of the S3 bucket.
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "bucketAVRequired1",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:ListBucket*",
    "Resource": "arn:aws:s3:::BUCKET_NAME"
  }, {
    "Sid": "bucketAVRequired2",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:GetObject*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }, {
    "Sid": "bucketAVOnlyIfYouDeleteInfectedFiles",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": "s3:DeleteObject*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }, {
    "Sid": "bucketAVOnlyIfYouTagFilesWithScanResult",
    "Effect": "Allow",
    "Principal": {
      "AWS": "ROLE_ARN"
    },
    "Action": [
      "s3:GetObjectTagging",
      "s3:GetObjectVersionTagging",
      "s3:PutObjectTagging",
      "s3:PutObjectVersionTagging"
    ],
    "Resource": "arn:aws:s3:::BUCKET_NAME/*"
  }]
}

If you use SSE-KMS to encrypt your buckets, you must ensure that the KMS Key Policy allows access from the ScanRoleArn. If you use AWS-managed KMS CMKs, you can not edit the key policy. Therefore, only customer-managed CMKs are supported.

One specialty needs to be considered when you configure the S3 Bucket Event Notification according to the Setup Guide. Instead of selecting the SQS queue from the drop-down, select Add SQS queue ARN and enter the ScanQueueArn output of the CloudFormation bucketav stack from account a.

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email