🎉 We are launching a new weekly show: Hot off the Cloud

🎉 We are launching a new weekly show

Antivirus for S3 Buckets

Michael Wittig – 18 Apr 2016

Many of our AWS consultancy clients ask me:

“How can we make sure that the files that we store on S3 are virus free?”

As always, our clients are looking for simple and cheap solutions. That’s why we developed Antivirus for Amazon S3. Every file that is added to an S3 bucket is automatically scanned.

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

Features

  • Uses ClamAV to scan newly added files on S3 buckets
  • Updates ClamAV database every 3 hours automatically
  • Scales EC2 instance workers to distribute the workload
  • Publishes a message to SNS in case of a finding
  • Can optionally delete compromised files automatically
  • Logs to CloudWatch Logs

Additional Commercial Features by bucketAV

  • Reporting capabilities
  • Dashboard
  • Scan buckets at regular intervals / initial bucket scan
  • Quarantine infected files
  • Enhanced security features (e.g., IMDSv2)
  • Regular Security updates
  • Multi-Account support
  • AWS Integrations:
    • CloudWatch Integration (Metrics and Dashboard)
    • Security Hub Integration
    • SSM OpsCenter Integration
  • S3 -> SNS fan-out support
  • Support

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

How does it work

A picture is worth a thousand words:

S3 Security Guide

Protect your S3 buckets!

Follow four simple rules to avoid data leaking from S3. Download our S3 Security Guide!

Architecture

  1. A SQS queue is used to decouple scan jobs from the ClamAV workers. Each S3 bucket can fire events to that SQS queue in case of new objects. This feature of S3 is called S3 Event Notifications.
  2. The SQS queue is consumed by a fleet of EC2 instances running in an Auto Scaling Group. If the number of outstanding scan jobs reaches a threshold a new ClamAV worker is automatically added. If the queue is mostly empty workers are removed.
  3. The ClamAV workers run a simple ruby script that executes the clamscan command. In the background the virus db is updated every three hours.
  4. If clamscan finds a virus the file is directly deleted (you can configure that) and a SNS notification is published.

Installation Guide

Visit the template’s repository for installation instructions: aws-s3-virusscan

Become a cloudonaut supporter

Michael Wittig

Michael Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 49 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.