# Proactive Notifications {% tabs %} {% tab title="Antivirus for Amazon S3" %} #### Proactive Notifications ![Proactive Notifications Dashboard](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FMNVpjeDawkpdPHAYpvYD%2Fproactive-notifications-table.png?alt=media) The Dashboard is a great resource to monitor your environment while you are using the console. For all the times you are not in front of the console, it is critically important you are made aware of any system notifications such as `problem file` scan results. Scan Results which could identify infected or unscannable files is the most critical, but other system messages may be important enough for you to follow as well. The other types of information we notify on is: public / private status of buckets, newly discovered buckets, protection turned on / off for buckets, availability of system updates, trial expiration and low prepaid data counts. With this in mind, a Notifications SNS Topic is provided where Antivirus for Amazon S3 publishes these useful messages. You can simply subscribe to the Topic with the protocol (HTTP, HTTPS, Email, Email-JSON, Amazon SQS, AWS Lambda, Platform Application Endpoint, SMS) of your choice. All notification messages we generate will have a `Notification Type` attribute as well as possible secondary attributes. These attributes along with their values can be leveraged for filtering the messages down. Along with the notification type attribute, there are other message attributes such as `scanResult`, `bucket` and `account`. AWS SNS subscription filtering works in an ***and*** fashion with additional attributes. ***Or*** functionality is supported within attribute values, but as soon as you have more than one attribute those behave as ***and***. This is critical to be aware of as you may add combinations that will never occur and therefore never receive the messages you are expecting. We have made our wizard so you cannot make these unusable combinations. The filtering that is allowed: * **notificationType** - on its own this is the highest level (generic) filter * You can get all scan results but just setting this attribute to `scanResult`, but you may truly not want all scan results, just `infected` * Possible values - \[scanResult, largeFileScan, bucketsDiscovered, bucketProtection, bucketCrawling, bucketsPublicAccess, bucketAutoProtectionFailed, updatesAvailable, lowPrepaidData, trialExpiring] * **scanResult** - allows you to filter by the result itself * You can filter by one or more values - \[Clean, Infected, Unscannable, Error, InfectedAllowed] * **bucket** - filter by a particular bucket name * Useful if you want different subscriptions/notifications for different buckets to have different outcomes or go to different teams * **account** - filter by account number * For multi-account environments this allows you to filter at the account level * Similar to bucket, you could have different processes or teams responsible at the account level and so need separate subscriptions to notify those particular teams #### Message Types All possible message information:

Key Name	Description
notificationType	You can get all scan results but just setting this attribute to `scanResult`, but you may truly not want all scan results, just `Infected` Possible values: scanResult largeFileScan bucketsDiscovered bucketProtection bucketCrawling bucketsPublicAccess bucketAutoProtectionFailed updatesAvailable lowPrepaidData trialExpiring
scanResult	Secondary attribute to allow filtering by the scan result itself Possible values: Infected Error Unscannable Clean InfectedAllowed
bucket	Secondary attribute to provide filtering by bucket name. Useful if you want different subscriptions/notifications for different buckets to have different outcomes or go to different teams. You can provide more than 1 bucket name if desired in a comma separate list. Possible values: `your_bucket_name(s)`
accountID	For multi-account environments this allows you to filter at the account level. Similar to bucket, you could have different processes or teams responsible at the account level and so need separate subscriptions to notify those particular teams. Can be used with scanResult, bucketsDiscovered, bucketProtection, bucketCrawling, bucketPublicAccess

**Proper Combinations** Proper combinations can be: * **notificationType**, * **notificationType**\['scanResult'] + **scanResult**\['Infected', 'Clean', 'Unscannable', 'Error', 'InfectedAllowed\`], * **notificationType** + **scanResult** + **bucket**\[' < bucket-name(s) >'], * **notificationType** + **scanResult** + **account**\['< account-number(s) >'], * **notificationType**\['scanResult'] + **bucket**\['< bucket-name(s) >'], * **notificationType**\[any but updatesAvailable|lowPrepaidData|trialExpiring] + **account**\['< account-number(s) >'], {% hint style="info" %} #### Example You may want your Support/IR team to be informed of infected files only so you setup a subscription that filters down to `scanResult = Infected`and gets sent to their emails or distribution list. While classsificaton results of `Error` and `Unscannable` may get filtered down and sent to your infrastructure team since both of those results typically relate to access issues (either KMS related, password protection, file extension reading software, etc). You may want yet another subscription that either captures all scanResults messages or just the Clean ones so you capture your own audit log of those files. So the endpoint could be an email not responded to or an application that gathers all this data. {% endhint %} Here is a sample message so you can see the format that gets sent. More samples for the other notification types below. ```json { "Type" : "Notification", "MessageId" : "45927ed5-6884-542e-96c6-27777317db99", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "AV-for-S3: Infected object found", "Message" : "{\"guid\":\"a59f0da2-0fdd-4667-b272-618d79cd520d\",\"dateScanned\":\"2021-08-26T22:44:34.5595461Z\",\"bucketName\":\"css-protect-versioning\",\"key\":\"infected_bill.pdf\",\"versionId\":\"ohjRhn8aiPIjVTU1T6xOKWoJBR8i0v0w\",\"result\":1,\"scanResults\":[{\"result\":\"Infected\",\"virusName\":[\"Win.Ransomware.WannaCry-6313787-0\"],\"message\":[],\"dateScanned\":\"2021-08-26T22:44:34.5595461Z\",\"engine\":\"ClamAV\",\"engineVersion\":\"0.103.3\",\"virusDbVersion\":\"26275\",\"scanType\":\"GoFwd\"},{\"result\":\"Infected\",\"virusName\":[\"Troj/PDFJs-AIA\"],\"message\":[\"infected_bill.pdf\"],\"dateScanned\":\"2021-08-26T22:44:33.3838187Z\",\"engine\":\"Sophos\",\"engineVersion\":\"3.82.1\",\"virusDbVersion\":\"5.86\",\"scanType\":\"GoFwd\"}],\"actionTaken\":\"Move\",\"virusUploadedBy\":\"AWS:AIDA2T7AZ3IMGHBWXMN4W\",\"fileExists\":true,\"movedTo\":\"cloudstoragesecquarantine-pxlhbmh--us-east-1\",\"region\":\"us-east-1\",\"accountId\":\"\",\"allowOnceExemptionAdded\":false,\"permanentlyAllowed\":false}", "Timestamp" : "2021-08-26T22:44:35.049Z", "SignatureVersion" : "1", "Signature" : "or+H3m1RpSvHe3GlccGjnckSj13iz+mFYaEMjwKWuE3uFhytHUkc6cIxk4E3lI7GwtOmuxTCQgc9ms7c/yp+487Chh0IM3nLGCD7WWNaW3W/8BnpFg1wkWQoSAPIh4EuhYLEWMzqF1ldENp6SNGZpG60vYyS/vNx9GnA5nrRDwLfQ76HDlRq/PQpbnzBPleaW61TOsRRhKpVpNZ1dKTRECqCtP9Tgno12XURZ8Li4PQP/w3IJ6EPZOKrva7A2vaaOe4hRyx4lWSagHtigqZ9RMIsTBOFXrCwG3iXopUhnylDgtaeODyepXTUEMHzw931hRMmcjGT+h1epJ10mraA8Q==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "bucket" : {"Type":"String","Value":"css-protect-versioning"}, "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"scanResult"}, "scanType" : {"Type":"String","Value":"Api"}, "scanResult" : {"Type":"String","Value":"Infected"}, "scanResultKind" : {"Type":"String","Value":"NotApplicable"}, "key" : {"Type":"String","Value":"filename.ext"} } } ``` Follow the steps below to set up your Topic Subscription utilizing an AWS provided protocol like email. #### Create Subscription - Email Example Subscribing to the real-time notifications sent out via our Notifications SNS Topic has been simplified by the wizard provided. You can still [manually set this up](#manual-setup-email) if desired, read below these instructions. Creating through the form still requires you to **confirm** the subscription. 1. Click the `Add Subscription` button

2. The `Add Proactive Notifications Subscription` popup will appear

3. Specify the `Notification Type` of choice - for our example we will choose `ScanResu`

**Note**: After selecting the `Notification Type` you will be presented other fields to populate. At a minimum, you must specify a `Protocol` and `Endpoint`. The other fields can be populated as described above.

4. Choose `Email` as the protocol and enter your email address

**Note:** If you left it as seen here, every scan result (clean, infected, unscannable, error and infectedAllowed) would be sent to your email. Generally, you may want to limit down to `infected` and `unscannable` to limit the number of emails received. This is up to your requirements, so do as you see fit. As described above, you can filter the results by result, bucket or account and proper combinations of those.

5. Specify `Scan Results` values to limit emails sent

6. Click the `Add Subscription` button

7. You will now see a new entry in the table list showing as `Pending` under status

8. Check your email so you can **confirm** the subscription

9. Open the email and click the `Confirm subscription` link

10. This action will open a browser window showing subscription confirmation

11. Refresh the page list by clicking the little `Refresh` button and you will see your new subscription confirmed

You are all set now! Feel free to create more as needed for the different notifications needed. {% hint style="warning" %} #### Warning AWS does not allow the same email address to be used for multiple subscriptions to the same topic. So you can leverage multiple addresses or you can use the "+" option most modern email providers (Gmail, O365, Exchange) support. For example, instead of using `support@cloudstoragesec.com` as I did in the example steps I could do the following: * ** for all scan results * ** for system upgrade updates * ** for notifications regarding new buckets or public buckets found * etc. {% endhint %} If you'd like to perform these steps manually or see what is going on behind the scenes on the AWS side, expand the section below and read on. If the GUI was enough for you, then skip it.

Manual Setup - Email

1. Login to the AWS console and navigate to the region where the console is deployed\ \&#xNAN;*If you are unsure of which region the console is deployed in, you can view the* [*Console Settings*](https://help.cloudstoragesec.com/console-overview/configuration/console-settings) *page to find it.*

2. Navigate to the Simple Notification Service (SNS) service\ \&#xNAN;*You can search for the service or find it under Application Integration* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2F7fjBwRaW5JLDbGJMym3M%2F2.jpg?alt=media\&token=3db01a74-6a73-42f5-b536-034d207023a8) *You'll land at the SNS Dashboard. You may have different numbers of existing Topics and Subscriptions* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FHu9fQjTZlhVBhWmu9k5y%2F2-1.jpg?alt=media\&token=97327051-87f9-444e-8e22-a097e7cc8b27) 3. Click on Topics as indicated above and then click on the Notifications Topic\ \&#xNAN;*The Topic will be named `CloudStorageSecNotifications-`. You can find your `appID` in the* [*Console Settings*](https://help.cloudstoragesec.com/console-overview/configuration/console-settings) *as the value after the `-` of the Service Name.*\ \&#xNAN;***Note**: I have more than one deployment in my account so I see more than one standard topic and more than one notifications topic.* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FA5N8U9GZq9v8pgAo6J6O%2F3.jpg?alt=media\&token=235d55cd-fc34-41c0-8282-4a80a43675c6) *You will land on the details page for the Topic* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FvpvH1ONUnXgVTbDIsaDy%2F3-1.jpg?alt=media\&token=163e4e24-d404-4bbd-80d8-4b6fda27617e) 4. Click the `Create Subscription` button to be taken to the Create Subscription page ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FpboyorNzkQPYxsRFpRrM%2F4.jpg?alt=media\&token=4668abc8-e4b5-4af9-ae40-b4ee19f91289) 5. Pick a Protocol of your choice\ \&#xNAN;*We'll use `Email` for this example* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2Fp6O9no1XAuuOhHf7gXOo%2F5.jpg?alt=media\&token=49dec9dc-88f8-487e-a463-5138fdc2ee79) 6. Pick a Protocol of your choice\ \&#xNAN;*We'll use `Email` for this example* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FgjdZo8v4ADEuXcXaoCJc%2F6.jpg?alt=media\&token=2568d808-870e-4859-bf99-3d0a118b2164) **Note:** You will have to confirm your subscription as AWS indicates. Go to the email address you specified and click the link within it **after** you finish creating the subscription. 7. Setup a Filter Policy (optional)\ \&#xNAN;*You can be done at this point, but without a filter policy you will get notified of every scan result. Look back above for scenarios where filtering makes sense* ```json { "notificationType" : ["scanResult"], "scanResult" : ["Infected", "Error", "Unscannable", "Clean"], "bucket" : ["your_bucket_name(s)"], "key": [{"prefix": "folder_name/path(s) "}] } ``` :pencil2: **Note** You can copy and paste that JSON directly into the filter and it will work. **Remember** to pick which scan results you are filtering on and remove the others from the list. *Copy the JSON and paste it into the filter policy JSON editor as seen below and edit as you see fit* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FtAuRgKzjaA4H2hey30Uz%2F7.jpg?alt=media\&token=275aceb7-e96d-4652-822e-9c73f7e781af) *You can read more about SNS Topic Subscription attribute matching in the* [*AWS Documentation*](https://docs.aws.amazon.com/sns/latest/dg/sns-subscription-filter-policies.html#string-value-matching) *on the subject.* 8. Click the `Create Subscription` button and you are done!\ \&#xNAN;*Technically, you will now need to go confirm your subscription.* ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FIxLk0cXDc1JSF0ckV6d6%2F8.jpg?alt=media\&token=aba06ea7-c14e-45e5-ab6a-9a6c734eed0d)

Manual Setup - SQS

**This is how you subscribe an SQS queue to an SNS topic from a linked account (SQS-LinkedAccount) -> (SNS-Primary)** The way to manage the SQS-SNS, is by subscribing to the SQS from SNS, but not the other way around for some unknown reason, is the only way it works with AWS. 1. Add:\ "sqs:GetQueueAttributes", "sqs:SetQueueAttributes" permissions to the **CloudStorageSecConsolePolicy** in the Primary account 2. Create an SQS queue in the Linked account with the following **SQS Access policy**:

{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<PRIMARY_ACCOUNT_ID>:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:<region>:<LINKED_ACCOUNT_ID>:<SQS-Queue-Name>"
},
{
"Sid": "topic-subscription-arn:aws:sns:us-east-1:< PRIMARY_ACCOUNT_ID>:<CloudStorageSecNotificationsTopic-app-id>",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:<region>: <LINKED_ACCOUNT_ID>:<SQS-Queue-Name>",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:sns:<region>:< PRIMARY_ACCOUNT_ID>:<CloudStorageSecNotificationsTopic-app-id>"
}
}
}
]
}

3. Create an **SNS subscription** to an Amazon SQS in the CSSNotificationsTopic (Primary) with the filter policy: ```json { "notificationType": [ "scanResult" ], "scanResult": [ "Infected", "Clean" ] } ``` 4. Go to the **SQS** **queue** in the Linked account and hit **Send and Receive Messages** you will see one Message available -> hit **Poll for messages**, and you will see: ![](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FK8MwFBDzrgTeMb4SOcvh%2Fimage.png?alt=media\&token=6a9aa336-ccd1-49b6-8d16-6f2c722b12a5) Enter the message, and copy the **SubscribeURL** value 5. Go to the **SNS Topic** in the **Primary account**, choose the subscription, hit Confirm Subscription and paste the **SubscribeURL** value.

Managing an existing subscription is easy. Simply click the action button (![Manage Subscription button](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2F4I4L6yuiOAX0g9uLagsp%2Fproactive-notifications-manage-sub-button.png?alt=media)) to either `Edit` or `Delete` the subscription. Editing will allow you to make changes as are permitted to the subscription. Deleting will remove the subscription. ![Manage Subscription](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FjhB9DvNBtzVP38P6v3i0%2Fproactive-notifications-manage-subscription.png?alt=media) #### Sample Email Protocol Messages Once you have confirmed your subscription as objects get scanned you will see in your Inbox as follows.

And here are the details of an infected email message received.

#### EventBridge Notifications To send notifications to EventBridge, just go to **Configuration > Console Settings > AWS EventBridge Proactive Notifications**. Enable the toggle, specify an Event Bus (or leave the default) and click Save. **Send ScanResults notifications to CloudWatch logs:** 1. **Setup Event Bus**

2. **Go to AWS EventBridge and Create a Rule for the Event Bus**\

3. **Create Rule:** **Step 1: Define rule detail**

**Step 2. Build Event Pattern** Leave the first options as they are and scroll down to the Event Pattern:\

```json { "source": ["cloud-storage-security"], "detail-type": ["ScanResult"], "detail": { "MessageAttributes": { "scanResult": { "StringValue": ["Clean"] } } } } ``` **Step 3. Select target(s)**

#### Step 4. Configure tags - optional

#### Step 5. Review and update Just review that everything is setup as expected, and Submit the rule. 4. If you have already setup a Scan Result notification, you are good to go, otherwise setup a subscription for it as explained at the beggining of this page. 5. Scan a file, and check the Event Bridge log setup in CloudWatch: \

#### Slack Integration Setup It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here: [AWS SNS + Slack / Teams / Chime setup](https://aws.amazon.com/premiumsupport/knowledge-center/sns-lambda-webhooks-chime-slack-teams/) What it looks like in Slack. You can modify the format with [Slack Message Layouts](https://api.slack.com/messaging/composing/layouts).

### Sample Messages - JSON

Scan Result - Clean

```json { "Type" : "Notification", "MessageId" : "bd433133-294e-52d9-9503-689132de2d6e", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "AV-for-S3: Clean object found", "Message" : "{\"guid\":\"5fe98fc2-685c-4f64-b9a0-8eedea8f42a4\",\"dateScanned\":\"2021-08-26T22:44:32.6856159Z\",\"bucketName\":\"css-protect-versioning\",\"key\":\"PCI Mandate Compliance Report Template_1586376538835.pdf\",\"versionId\":\"k751iw8YoEIGtZReV8JIsopfkjsFZ_Kf\",\"result\":0,\"scanResults\":[{\"result\":\"Clean\",\"virusName\":[],\"message\":[],\"dateScanned\":\"2021-08-26T22:44:32.6856159Z\",\"engine\":\"ClamAV\",\"engineVersion\":\"0.103.3\",\"virusDbVersion\":\"26275\",\"scanType\":\"GoFwd\"},{\"result\":\"Clean\",\"virusName\":[],\"message\":[],\"dateScanned\":\"2021-08-26T22:44:32.6158696Z\",\"engine\":\"Sophos\",\"engineVersion\":\"3.82.1\",\"virusDbVersion\":\"5.86\",\"scanType\":\"GoFwd\"}],\"actionTaken\":\"None\",\"virusUploadedBy\":\"\",\"fileExists\":true,\"movedTo\":\"\",\"region\":\"us-east-1\",\"accountId\":\"\",\"allowOnceExemptionAdded\":false,\"permanentlyAllowed\":false}", "Timestamp" : "2021-08-26T22:44:32.986Z", "SignatureVersion" : "1", "Signature" : "vy0J32/9v0w813bdr7soNpn76V3f/AUw5uWwtgNK3k0wP9i7Usa/7atx1aeaLIcWYLe/LEJMfkYnXQTkq/5mjf0N8FJ9jXn9fkdUAGHf5iIovNKluf8xPDs6jrUo7rxg9Leskk2+EeNEi9wtQvXCtWeDEL20QA+1KsqcsQNGKPvUxF/m04BTr/jDO7YHK4FAHOc1DfY546dUA+z+t0DUYvSJqLHsUXQqHEqNpL7WHlzSvxIV+F1T0M525FbcZPZp3iLw5Qc3LlFZp/Yhy3V+2q6+JCJipzgLPGdN45EhwAYpvM5jNvqgjheKdiJkBONFByw1Hn4fIfIqc6olQr7u+w==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "bucket" : {"Type":"String","Value":"css-protect-versioning"}, "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"scanResult"}, "scanResult" : {"Type":"String","Value":"Clean"} } } ```

Scan Result - Infected

```json { "Type" : "Notification", "MessageId" : "45927ed5-6884-542e-96c6-27777317db99", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "AV-for-S3: Infected object found", "Message" : "{\"guid\":\"a59f0da2-0fdd-4667-b272-618d79cd520d\",\"dateScanned\":\"2021-08-26T22:44:34.5595461Z\",\"bucketName\":\"css-protect-versioning\",\"key\":\"infected_bill.pdf\",\"versionId\":\"ohjRhn8aiPIjVTU1T6xOKWoJBR8i0v0w\",\"result\":1,\"scanResults\":[{\"result\":\"Infected\",\"virusName\":[\"Win.Ransomware.WannaCry-6313787-0\"],\"message\":[],\"dateScanned\":\"2021-08-26T22:44:34.5595461Z\",\"engine\":\"ClamAV\",\"engineVersion\":\"0.103.3\",\"virusDbVersion\":\"26275\",\"scanType\":\"GoFwd\"},{\"result\":\"Infected\",\"virusName\":[\"Troj/PDFJs-AIA\"],\"message\":[\"infected_bill.pdf\"],\"dateScanned\":\"2021-08-26T22:44:33.3838187Z\",\"engine\":\"Sophos\",\"engineVersion\":\"3.82.1\",\"virusDbVersion\":\"5.86\",\"scanType\":\"GoFwd\"}],\"actionTaken\":\"Move\",\"virusUploadedBy\":\"AWS:AIDA2T7AZ3IMGHBWXMN4W\",\"fileExists\":true,\"movedTo\":\"cloudstoragesecquarantine-pxlhbmh--us-east-1\",\"region\":\"us-east-1\",\"accountId\":\"\",\"allowOnceExemptionAdded\":false,\"permanentlyAllowed\":false}", "Timestamp" : "2021-08-26T22:44:35.049Z", "SignatureVersion" : "1", "Signature" : "or+H3m1RpSvHe3GlccGjnckSj13iz+mFYaEMjwKWuE3uFhytHUkc6cIxk4E3lI7GwtOmuxTCQgc9ms7c/yp+487Chh0IM3nLGCD7WWNaW3W/8BnpFg1wkWQoSAPIh4EuhYLEWMzqF1ldENp6SNGZpG60vYyS/vNx9GnA5nrRDwLfQ76HDlRq/PQpbnzBPleaW61TOsRRhKpVpNZ1dKTRECqCtP9Tgno12XURZ8Li4PQP/w3IJ6EPZOKrva7A2vaaOe4hRyx4lWSagHtigqZ9RMIsTBOFXrCwG3iXopUhnylDgtaeODyepXTUEMHzw931hRMmcjGT+h1epJ10mraA8Q==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "bucket" : {"Type":"String","Value":"css-protect-versioning"}, "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"scanResult"}, "scanResult" : {"Type":"String","Value":"Infected"} } } ```

Scan Result - Infected with Mixed Result

```json { "Type" : "Notification", "MessageId" : "52e1b014-a19d-5d32-8717-e9b6ba0d2df0", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "AV-for-S3: Infected object found", "Message" : "{\"guid\":\"9c2d3aca-7d9a-4d85-98bb-0954227c851b\",\"dateScanned\":\"2021-08-26T22:44:32.1855327Z\",\"bucketName\":\"css-protect-versioning\",\"key\":\"halock-av.pdf\",\"versionId\":\"cpThl8wDuSj2Ie4_CU0bR_x1ULCIXVhf\",\"result\":1,\"scanResults\":[{\"result\":\"Clean\",\"virusName\":[],\"message\":[],\"dateScanned\":\"2021-08-26T22:44:32.1855327Z\",\"engine\":\"ClamAV\",\"engineVersion\":\"0.103.3\",\"virusDbVersion\":\"26275\",\"scanType\":\"GoFwd\"},{\"result\":\"Infected\",\"virusName\":[\"EICAR-AV-Test\",\"EICAR-AV-Test\"],\"message\":[\"halock-av.pdf\",\"halock-av.pdf\"],\"dateScanned\":\"2021-08-26T22:44:32.1874844Z\",\"engine\":\"Sophos\",\"engineVersion\":\"3.82.1\",\"virusDbVersion\":\"5.86\",\"scanType\":\"GoFwd\"}],\"actionTaken\":\"Move\",\"virusUploadedBy\":\"AWS:AIDA2T7AZ3IMGHBWXMN4W\",\"fileExists\":true,\"movedTo\":\"cloudstoragesecquarantine-pxlhbmh--us-east-1\",\"region\":\"us-east-1\",\"accountId\":\"\",\"allowOnceExemptionAdded\":false,\"permanentlyAllowed\":false}", "Timestamp" : "2021-08-26T22:44:32.905Z", "SignatureVersion" : "1", "Signature" : "SNSOWiex1hSWk6ooFjp3TI9OnO2S3LGSDRbUHqR6mzXptAcgiSIpdzKe9hbJZvttx0cNUBP3qajUWpuTPI2Toy0vPYo800HSnXBkW9pI7CIuTW8uVw+dN4OgsJJLN+Fh8LAY2uz1gsrofi7DMMRge9tyaerPIofyLCPTdEghQNpHWomfYF/fI5KLvIEetP5ROqlvL9rmzgvWY8AADKGGy+tki/4itzCfQBjBP5WpsyWWW0kQvw+TCXxZzogc+2h9YzBHKddQCdCUiMZNyiH/mJ+RjWJgfsZYws0MjkUgIb27Nv571TCQNpym3Z8d8ChTv7tb1jepkf5oBWuLph4uqA==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "bucket" : {"Type":"String","Value":"css-protect-versioning"}, "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"scanResult"}, "scanResult" : {"Type":"String","Value":"Infected"} } } ```

New Bucket Found

```json { "Type" : "Notification", "MessageId" : "32373388-32b3-5303-a28e-6b3394954bc4", "TopicArn" : "arn:aws:sns:us-east-1::CloudStorageSecNotificationsTopic-y6uajej", "Subject" : "Discovered 1 new Buckets in Account 'Primary'", "Message" : "The following bucket(s) were discovered and are likely unprotected: css-webinar-new-bucket", "Timestamp" : "2021-03-05T03:22:14.713Z", "SignatureVersion" : "1", "Signature" : "UWQDpcdt82PEQw5B95rCh74gau0Nie8PITkDowLveGflTn7/LshJQ/854jL3gNKY9gpHVWh1deSWxHduI773gQdi4AbRMkJ68tum6PDg7/eYjcCS85RiJ4EeK7HH2xEsEdjTBFsXIs9W5rnXcnOB8wweYZ0IdaKrG4npYng0Qhnr6APFwq5uM4RoSOrwBhhS9iF6gHK++Ir8UNotq52K3RRIHBndYMXQIJL9t0vtcHpf3aAYgcjg+/+3PcjOH/fY974i1TD0h/EabmmKgxAnsggQ4rhGEintKrm/6vV1zFfGM+ehlRwRA5WG5KssyBYY2RxMLHbWCpfeakefmU0gjA==", "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1::CloudStorageSecNotificationsTopic-y6uajej:1c22fb20-0d29-42a9-b7dd-1964d77dd99d", "MessageAttributes" : { "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"bucketsDiscovered"} } } ```

Public Bucket Found

```json { "Type" : "Notification", "MessageId" : "861b8ed9-116c-5eef-b906-d662b742f907", "TopicArn" : "arn:aws:sns:us-east-1::CloudStorageSecNotificationsTopic-y6uajej", "Subject" : "Discovered PUBLIC bucket 'css-demo-eu-north-1' in account 'Primary'", "Message" : "The console has discovered bucket 'css-demo-eu-north-1' with public access. ", "Timestamp" : "2021-03-05T03:22:22.053Z", "SignatureVersion" : "1", "Signature" : "b1pYOKS3FJKl3DSelsVoL6ORzcDoPUfuMu72MIrK05sbGZB6eP5xkeZc3QScLSkAMjAzUum5bQAYtq30CbOxgrl9uClvKhvrOwst9Ia0fJ0sCXE4gj59Etnx3j7jrx3x1mR87UhiOjvqNTDJvcJyMKcALCpyf4JUPs7GNzmA5TjMh2xRSsntPuATdMlSlgIi5ApBr4tZUZBAUfxfSI9eGPt9oi44ix0rB8ghlbMNo1ZA5L9ynuC4fyMbPjritTNF7o8hQzQyC4397GC5kBuAn4kdiGMTRLy+UIO/SBGr8iKsb6+3PiUN1g6qyooWilIeAKQ8eJMjo8OVlvLU0+LzVg==", "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1::CloudStorageSecNotificationsTopic-y6uajej:1c22fb20-0d29-42a9-b7dd-1964d77dd99d", "MessageAttributes" : { "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"bucketsPublicAccess"} } } ```

Bucket Protection Turned Off

```json { "Type" : "Notification", "MessageId" : "2c547302-6e33-563d-b986-2aa07c26762a", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "Protection turned OFF for 1 buckets in account 'Primary'", "Message" : "Protection has been turned OFF for the following buckets: css-apsoutheast1-01", "Timestamp" : "2021-08-26T22:04:05.844Z", "SignatureVersion" : "1", "Signature" : "eF0dA/AGVgMp+S85UugidY+9FZ0UryqCGluWRHTtLEHXWM2L+o8AXO+2ipV5u0Jykd9fKEs0SAapDoNAM08X01aakpATR/Bg+1xglY1YGiB4xhhtD64gAGikfYxPDk3BbPS5qamfssXyu8YqJHRpn3xjc+VoYaJajOB1UAm3r0wkcjmapVzEVdvQF8fMx/hfA4sne3IJC5Szm/6g5KTQZ7RYHgrv3O1wB4GPAfNHM061Z5RbdSnKvjuUM8umEfcwOVa40fHIVz68Y1f8lNdPxDWUuY7fQwed8sx8DdRj3iqi1tSbLwYG72JDAiUPDTwEQDPldrQGac17M7aFlms0qA==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "accountId" : {"Type":"String","Value":""}, "notificationType" : {"Type":"String","Value":"bucketProtection"} } } ```

Product Upgrade Available

```json { "Type" : "Notification", "MessageId" : "7b11beaf-0ca6-5c7c-b7d1-e73fbad71b86", "TopicArn" : "arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh", "Subject" : "Antivirus for Amazon S3 - Update(s) are available", "Message" : "Update(s) are available for the Antivirus of Amazon S3 product. Visit the console to apply them from the updates menu in the upper right of the page.", "Timestamp" : "2021-08-13T18:04:33.826Z", "SignatureVersion" : "1", "Signature" : "urNgfMcXt76qCsFrSMMhzeXQ3rEA6I3FYWBw+kOeDLgOdGW1vFcFFgii9XIytsdgI71fnCqkOdPe+sBcx1CpnDmdpG5F8oS6S5+bSVgnwp4f3srpghdR34gSMl8xeWZjqWCjcQd4zlcv7HcT4Jg1l1xDB3xD5KPUBhkEzwuvcQIVtpbXXhOJPbVjbUAMUqaI/lkq0x55Mh2D5ALN+1s9loQOC5R1/z/WFE043S037sQjea72rIs1zRouUUo1u+n4Jqo+GHARX51fJcDArcsEAA5INnxxVB5H6xoMAsYYv2LinpLIYRN8Vk/xlL7lfZXH2bYMsX/dJhlZ8crO1axZDA==", "SigningCertURL" : "https://sns.eu-west-1.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem", "UnsubscribeURL" : "https://sns.eu-west-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-1::CloudStorageSecNotificationsTopic-pxlhbmh:32f7008b-bf69-48c0-84fd-872b708f0037", "MessageAttributes" : { "notificationType" : {"Type":"String","Value":"updatesAvailable"} } } ```

{% tabs %} {% tab title="Antivirus for Amazon S3" %} {% endtab %} {% tab title="Classification for Amazon S3" %} #### Proactive Notifications ![Proactive Notifications Dashboard](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2F5mibCKyQNzQXseam7fnw%2Fproactive-notifications-addsub-pending-dc.png?alt=media) The Dashboard is a great resource to monitor your environment while you are using the console. For all the times you are not in front of the console, it is critically important you are made aware of any system notifications such as `matching` classification results. Classification Results which could identify classified data is the most critical, but other system messages may be important enough for you to follow as well. The other types of information we notify on is: public / private status of buckets, newly discovered buckets, protection turned on / off for buckets, availability of system updates, trial expiration and low prepaid data counts. With this in mind, a Notifications SNS Topic is provided where Classification for Amazon S3 publishes these useful messages. You can simply subscribe to the Topic with the protocol (HTTP, HTTPS, Email, Email-JSON, Amazon SQS, AWS Lambda, Platform Application Endpoint, SMS) of your choice. All notification messages we generate will have a `Notification Type` attribute as well as possible secondary attributes. These attributes along with their values can be leveraged for filtering the messages down. Along with the notification type attribute, there are other message attributes such as `classificationResult`, `bucket` and `account`. AWS SNS subscription filtering works in an ***and*** fashion with additional attributes. ***Or*** functionality is supported within attribute values, but as soon as you have more than one attribute those behave as ***and***. This is critical to be aware of as you may add combinations that will never occur and therefore never receive the messages you are expecting. We have made our wizard so you cannot make these unusable combinations. The filtering that is allowed: * **NotificationType** - on its own this is the highest level (generic) filter * You can get all classsification results by just setting this attribute to `ClassificationResult`, but you may truly not want all classification results, just `matching` * Possible values - \[ClassificationResult, BucketsDiscovered, BucketsPublicAccess, LowPrepaidData, TrialExpiring, UpdatesAvailable] * **ClassificationResult** - allows you to filter by the result itself * You can filter by one or more values - \[Matching, NonMatching, Unclassifiable, Error] * **Buckets** - filter by a particular bucket name * Useful if you want different subscriptions/notifications for different buckets to have different outcomes or go to different teams * **Accounts** - filter by account number * For multi-account environments this allows you to filter at the account level * Similar to bucket, you could have different processes or teams responsible at the account level and so need separate subscriptions to notify those particular teams #### Message Types All possible message information:

Key Name	Description
NotificationType	You can get all classification results but just setting this attribute to `ClassificationResult`, but you may truly not want all classification results, just `matching` Possible values: BucketsDiscovered BucketProtection BucketsPublicAccess BucketAutoProtectionFailed LowPrepaidData TrialExpiring UpdatesAvailable
ClassificationResult	Secondary attribute to allow filtering by the scan result itself Possible values: Matching NonMatching Unclassifiable Error
Buckets	Secondary attribute to provide filtering by bucket name. Useful if you want different subscriptions/notifications for different buckets to have different outcomes or go to different teams. You can provide more than 1 bucket name if desired in a comma separate list. Possible values: `your_bucket_name(s)`
Accounts	For multi-account environments this allows you to filter at the account level. Similar to bucket, you could have different processes or teams responsible at the account level and so need separate subscriptions to notify those particular teams. Can be used with ClassificationResults, BucketsDiscovered, BucketProtection, BucketCrawling, BucketPublicAccess

**Proper Combinations** Proper combinations can be: * **notificationType**, * **notificationType**\['classficationResult'] + **classificationResult**\['Matching', 'NonMatching', 'Unclassifiable', 'Error'], * **notificationType** + **classificationResult** + **bucket**\[' < bucket-name(s) >'], * **notificationType** + **classificationResult** + **account**\['< account-number(s) >'], * **notificationType**\['classificationResult'] + **bucket**\['< bucket-name(s) >'], * **notificationType**\[any but updatesAvailable|lowPrepaidData|trialExpiring] + **account**\['< account-number(s) >'], {% hint style="info" %} #### Example You may want your Support/IR team to be informed of infected files only so you setup a subscription that filters down to `classsificatonResult = Matching` and gets sent to their emails or distribution list. While scan results of `Error` and `Unclassifiable` may get filtered down and sent to your infrastructure team since both of those results typically relate to access issues (either KMS related, password protection, file extension reading software, and non-text files) You may want yet another subscription that either captures all classificationResult messages or just the NonMatching ones so you capture your own audit log of those files. So the endpoint could be an email not responded to or an application that gathers all this data. {% endhint %} Here is a sample message so you can see the format that gets sent. More samples for the other notification types below. ```json 2022-05-20 16:08:50.7409|INFO|MatchingClassificationResults|{ "date": "2022-05-20", "guid": "60ea309d-b0f5-4b14-a0a2-76ff49bd210f", "dateTime": "2022-05-20T16:08:50.716198Z", "accountId": "351727022968", "region": "us-east-1", "container": "class-trigger-bucket-3", "objectPath": "Employee List.xlsx", "innerFilePath": null, "textMatchingSet": [ { "cclName": "SocialsecuritynumbersUSA", "score": 1, "triggered": true, "matchesCount": 1 } ], "error": null, "resultType": 1 } ``` Follow the steps below to set up your Topic Subscription utilizing an AWS provided protocol like email. #### Create Subscription - Email Example 1. Click the `Add Subscription` button

2. The `Add Proactive Notifications Subscription` popup will appear

3. Specify the `Notification Type` of choice - for our example we will choose `ClassificationResult`

4. Choose `Email` as the protocol and enter your email address

5. Specify `Classification Results` values to limit emails sent\ ![Add Subscription Popup - Limited Results](https://github.com/cloudstoragesec/HelpDocs/blob/main/docs/img/proactive-notifications-addsub-limitedresults-dc.png) 6. Click the `Add Subscription` button

7. You will now see a new entry in the table list showing as `Pending` under status

8. Check your email so you can **confirm** the subscription

9. Open the email and click the `Confirm subscription` link\ \ This action will open a browser window showing subscription confirmation

10. Refresh the page list by clicking the little `Refresh` button and you will see your new subscription confirmed

Manual Setup - Email

2. Navigate to the Simple Notification Service (SNS) service\ \&#xNAN;*You can search for the service or find it under Application Integration*\

*You'll land at the SNS Dashboard. You may have different numbers of existing Topics and Subscriptions*

3. Click on Topics as indicated above and then click on the Notifications Topic\ \&#xNAN;*The Topic will be named `CloudStorageSecNotifications-`. You can find your `appID` in the* [*Console Settings*](https://help.cloudstoragesec.com/console-overview/configuration/console-settings) *as the value after the `-` of the Service Name.*\ \&#xNAN;***Note**: I have more than one deployment in my account so I see more than one standard topic and more than one notifications topic.*

*You will land on the details page for the Topic*

4. Click the `Create Subscription` button to be taken to the Create Subscription page

5. Pick a Protocol of your choice\ \&#xNAN;*We'll use `Email` for this example*

6. Pick a Protocol of your choice\ \&#xNAN;*We'll use `Email` for this example*

**Note:** You will have to confirm your subscription as AWS indicates. Go to the email address you specified and click the link within it **after** you finish creating the subscription.

7. Setup a Filter Policy (optional)\ \&#xNAN;*You can be done at this point, but without a filter policy you will get notified of every scan result. Look back above for scenarios where filtering makes sense*
```json { "notificationType" : ["classificationResult"], "classificationResult" : ["Matching", "Error", "Unclassifiable", "NonMatching"], "bucket" : ["your_bucket_name(s)"] } ``` * ```

``` * 8\. Click the `Create Subscription` button and you are done!\ \&#xNAN;*Technically, you will now need to go confirm your subscription.* :pencil2: **Note** You can copy and paste that JSON directly into the filter and it will work. **Remember** to pick which scan results you are filtering on and remove the others from the list. *Copy the JSON and paste it into the filter policy JSON editor as seen below and edit as you see fit*

#### Manage Subscription Managing an existing subscription is easy. Simply click the action button (![Manage Subscription button](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2F4I4L6yuiOAX0g9uLagsp%2Fproactive-notifications-manage-sub-button.png?alt=media)) to either `Edit` or `Delete` the subscription. Editing will allow you to make changes as are permitted to the subscription. Deleting will remove the subscription.

#### Sample Email Protocol Messages Once you have confirmed your subscription as objects get scanned you will see in your Inbox as follows: ![Notifications Email Inbox](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2FynTOhJbG0jInfjwDvKpy%2Fnotifications-email-inbox-dc.png?alt=media) And here are the details of an email message notification about discovering content in an object that is Matching one searched for by the chosen Classification rules. ![Notifications Email Inbox](https://905555942-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlGcQw8I2CHyi1loKBlfi%2Fuploads%2Fx4H1GuCEocKAOi3p9hlM%2Fnotifications-email-message-dc.png?alt=media) #### Slack Integration Setup It is a simple process (that may sound more complicated than it is) that took under 10 minutes to setup. Simply follow the process laid out in the AWS blogpost talking about how to leverage webhooks seen here: [AWS SNS + Slack / Teams / Chime setup](https://aws.amazon.com/premiumsupport/knowledge-center/sns-lambda-webhooks-chime-slack-teams/) What it looks like in Slack. You can modify the format with [Slack Message Layouts](https://api.slack.com/messaging/composing/layouts).

Sample Messages - JSON

```json { "date": "2022-05-20", "guid": "60ea309d-b0f5-4b14-a0a2-76ff49bd210f", "dateTime": "2022-05-20T16:08:50.716198Z", "accountId": "351727022968", "region": "us-east-1", "container": "class-trigger-bucket-3", "objectPath": "Employee List.xlsx", "innerFilePath": null, "textMatchingSet": [ { "cclName": "SocialsecuritynumbersUSA", "score": 1, "triggered": true, "matchesCount": 1 } ], "error": null, "resultType": 1 } ```

{% endtab %} {% endtabs %} ### Email Reports For customers who want a daily summary of Anti-Virus scanning sent to their inboxes, we offer the ability to send daily email reports detailing recently found threats. We show a brief report including types of problem files found, malware detected, and threats found in the last week. Enable this feature in the Email Reports tab in the Configuration > Proactive Notifications page. Enter in a comma separated list of email recipients and click 'Save'. Daily Email Reports will now be sent to those addresses.

Here's an example of a daily Email Report.

{% endtab %} {% endtabs %}