Antivirus for S3 Buckets

Michael Wittig – 18 Apr 2016

Many of our AWS consultancy clients ask me:

“How can we make sure that the files that we store on S3 are virus free?”

As always, our clients are looking for simple and cheap solutions. That’s why I developed S3 VirusScan. Every file that is added to an S3 bucket is automatically scanned.

The S3 VirusScan with additional integrations is available in the AWS Marketplace.

Features

  • Uses ClamAV to scan newly added files on S3 buckets
  • Updates ClamAV database every 3 hours automatically
  • Scales EC2 instance workers to distribute workload
  • Publishes a message to SNS in case of a finding
  • Can optionally delete compromised files automatically
  • Logs to CloudWatch Logs

Commercial Features

  • CloudWatch Integration (Metrics and Dashboard)
  • Security Hub Integration
  • SSM OpsCenter Integration

The S3 VirusScan with additional integrations is available in the AWS Marketplace.

How does it work

A picture is worth a thousand words:

Architecture

  1. S3 VirusScan uses a SQS queue to decouple scan jobs from the ClamAV workers. Each S3 bucket can fire events to that SQS queue in case of new objects. This feature of S3 is called S3 Event Notifications.
  2. The SQS queue is consumed by a fleet of EC2 instances running in an Auto Scaling Group. If the number of outstanding scan jobs reaches a treshold a new ClamAV worker is automatically added. If the queue is mostly empty workers are removed.
  3. The ClamAV workers run a simple ruby script that executes the clamscan command. In the background the virus database is updated every three hours.
  4. If clamscan finds a virus the file is directly deleted (you can configure that) and a SNS notification is published.

Installation & Configuration

Read more about S3 VirusScan and learn how to install and configure our solution in minutes.

Tags: aws security s3
Michael Wittig

Michael Wittig

I’m the author of Amazon Web Services in Action. I work as a software engineer, and independent consultant focused on AWS and DevOps.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me
Cover of Rapid Docker on AWS

New book: Rapid Docker on AWS

A rapid way to get your web application up and running on AWS. Made for web developers and DevOps engineers who want to dockerize their web applications and run their containers on Amazon Web Services. Prior knowledge of Docker and AWS is not required.

Buy icon
Buy now
Marbot Logo

Incident Management for Slack

Team up to solve incidents with our chatbot marbot. Never miss a critical alert. Escalate alerts from your AWS infrastructure among your team members. Strong integrations with all parts of your AWS infrastructure: CloudWatch, Elastic Beanstalk, RDS, EC2, ...

Slack icon
Try for free
📚 Rapid Docker on AWS
A rapid way to get your web application up and running on AWS. Learn how to package your application into Docker containers. Learn more.