Skip to content

Proactive Notifications

Proactive Notifications

The Dashboard is a great resource to monitor your environment while you are using the console. For all the times you are not in front of the console, it is critically important you are made aware of any problem files Antivirus for Amazon S3 discovers. With this in mind, a Notifications SNS Topic is provided where Antivirus for Amazon S3 publishes useful messages. You can simply subscribe to the Topic with the protocol (HTTP, HTTPS, Email, Email-JSON, Amazon SQS, AWS Lambda, Platform Application Endpoint, SMS) of your choice.

All notification messages we generate will have a Notification Type attribute as well as possible secondary attributes. This attribute name is notificationType and currently supports the value of scanResult. A secondary attribute of scanResult has also been added with four possible values: Infected, Error, Unscannable and Clean. The notification type will become more useful as more notifications are added. Each message created will contain these attributes which makes it very easy to create filters on the messages so you are notified how you want to be.

Example

You may want your Support/IR team to be informed of infected files only so you setup a subscription that filters down to scanResult = infected and gets sent to their emails or distribution list.

While scan results of error and unscannable may get filtered down and sent to your infrastructure team since both of those results typically relate to access issues (either KMS related or cross account permissions).

You may want yet another subscription that either captures all scanResult messages or just the clean ones so you capture your own audit log of those files. So the endpoint could be an email not responded to or an application that gathers all this data.

Follow the steps below to set up your Topic Subscription.

Setup Steps

  1. Login to the AWS console and navigate to the region where the console is deployed
    If you are unsure of which region the console is deployed in, you can view the Console Settings page to find it.
    Console Info
  2. Navigate to the Simple Notification Service (SNS) service
    You can search for the service or find it under Application Integration
    SNS Service You'll land at the SNS Dashboard. You may have different numbers of existing Topics and Subscriptions
    SNS Dashboard
  3. Click on Topics as indicated above and then click on the Notifications Topic
    The Topic will be named CloudStorageSecNotifications-<appID>. You can find your appID in the Console Settings as the value after the - of the Service Name.
    Note: I have more than one deployment in my account so I see more than one standard topic and more than one notifications topic.
    SNS Topic You will land on the details page for the Topic
    SNS Topic Details
  4. Click the Create Subscription button to be taken to the Create Subscription page SNS Create Sub
  5. Pick a Protocol of your choice
    We'll use Email for this example
    Subscription Protocol
  6. Pick a Protocol of your choice
    We'll use Email for this example
    Subscription Email

    Note

    You will have to confirm your subscription as AWS indicates. Go to the email address you specified and click the link within it after you finish creating the subscription.

  7. Setup a Filter Policy (optional)
    You can be done at this point, but without a filter policy you will get notified of every scan result. Look back above for scenarios where filtering makes sense

    {
        "notificationType" : ["scanResult"],
        "scanResult" : ["Infected", "Error", "Unscannable", "Clean"],
        "bucket" : ["your_bucket_name(s)"]
    }
    

    Note

    You can copy and paste that JSON directly into the filter and it will work. Remember to pick which scan results you are filtering on and remove the others from the list.

    Copy the JSON above and paste it into the filter policy JSON editor as seen below and edit as you see fit
    Subscription Filter JSON

    You can read more about SNS Topic Subscription attribute matching in the AWS Documentation on the subject.

  8. Click the Create Subscription button and you are done!
    Technically, you will now need to go confirm your subscription. Subscription Complete

Sample Messages

Once you have confirmed your subscription as objects get scanned you will see in your Inbox as follows. Notifications Email Inbox

And here are the details of an infected email message received. Notifications Email Inbox

Message Types

All possible message information:

Key Name                             Description
notificationType Top level identifier for messages added to this queue.
Possible values:
  • scanResult
  • bucketsDiscovered
  • bucketProtection
  • bucketCrawling
  • bucketsPublicAccess
  • updatesAvailable
  • trialExpiring
scanResult Secondary attribute to identify the scan results.
Possible values:
  • Infected
  • Error
  • Unscannable
  • Clean
bucket Secondary attribute to identify which bucket the scan result came from. You could provide more than 1 bucket name if desired in a comma separate list like the scanResult leverages.

Possible values: your_bucket_name(s)
accountID Can be used with scanResult, bucketsDiscovered, bucketProtection, bucketCrawling, bucketPublicAccess

Last update: October 16, 2020