There is very little to configure to get the product up and scanning your data. The only activity you truly have to do post deployment is enable buckets for scanning.
Currently this page just shows a list of all the buckets that your deployment of Classification for Amazon S3 has access to. In the future there will be the ability to scan/classify on-demand and protect buckets so that new files are scanned/classified as they get added to a protected bucket.
The Bucket Protection table is a complete list of the buckets you have in your account or linked accounts and their current status. You will see all buckets across all regions within the account the console is running in as well as active linked accounts.
Protected Buckets Page
Accountidentifier shows as
Primary. This represents the default account you deployed the solution in. If you link accounts for cross-account scanning, you will see a different identifier (the nickname you gave it) for those buckets that come from other accounts.
The bucket list is refreshed every 30 minutes in the background, but if you have recently created new buckets or deleted existing, you can force a refresh with the
Actions --> Refresh Bucketsmenu item at the top of the buckets list.
You may have noticed the Object Count and Total Size (GB) values for each bucket. These are not real-time reliable numbers. This data is pulled from CloudWatch Metrics for S3 Buckets. Amazon only updates these metrics once per day at the end of each day. So the numbers you are seeing are always a day old, but can give you a good feel.
We check certain attributes related to buckets to give you information pertinent to setting up protection. As a result, you may notice icons next to the bucket names. The two main aspects we check now are public status and the encryption status. We want you to be informed on which buckets are public and how they are public. We also want to stop you from scanning whole buckets of encrypted objects when we don't have permissions to the key to decrypt those objects. Giving the AgentRole permissions to the key will solve this issue.
- when bucket is capable of being
public, but not actually
- Some of the
Block Public Accesschecks are turned off, but there isn't an ACL or a Bucket Policy set to make the bucket public.
- when bucket is truly
publicvia ACL or Bucket Policy.
- Some of the
Block Public Accesschecks are turned off and there is an ACL or a Bucket Policy set to make the bucket public.
- The tooltip will give you details on the ACL settings.
- when KMS encryption enabled on the bucket and the AgentRole does not have permission to the key.
You will not be able to turn on protection for a bucket or perform a
Scan Existingif the AgentRole does not have permission to the key
- when KMS encryption enabled on the bucket and the AgentRole does have permissions to the key.
You can enable buckets one at a time by selecting one checkbox or you can multi-select checkboxes or you can "select all" with the
Select Visiblebutton at the top of the page to create any kind of bucket set for enabling protection. For any buckets in new regions where you aren't currently scanning, you will be asked to configure the VPC and Subnet(s) as we saw in the Initial Configuration. And if you select multiple new regions during the same action, you will be prompted to configure each one. Look to the steps below where two buckets are selected from two different regions (
us-west-1) not currently enabled.
Multi-region Bucket Select
Select Visiblemeans all rows available from the filtered search. If no search criteria has been entered, then all buckets in your list will be selected. If you have filtered the list down with a search, then only those search results will be selected.
This is a great way to find the set of buckets you want to take a batch action against and trigger the action.
You can chain sets together by filtering to select a few buckets, filter with different criteria and select a few buckets. Both selected sets will remain selected. This allows you to take the same action against different filtered sets.
Turn On Selectedfrom the
Actionsdrop down button yields the following popup where you must configure a VPC and Subnet(s) for any regions that are not already setup.
Multi-region VPC setup
The VPC and Subnets you choose must have an outbound path to reach Amazon ECR. If not, the agents will never boot properly. As discussed in the troubleshooting topic, you can do with outbound access to the internet or through VPC Endpoints that give you access to ECR and API.
We now show
Privatenext to each VPC to indicate whether or not the VPC is tied to an Internet Gateway and therefor likely to have an outbound path. We also show
Restrictednext to each Subnet to indicate whether each Subnet appears to have outbound routing.
In addition to selecting buckets in a one or many fashion as described above, you can automate the protection of buckets by leveraging
tag triggered protection. By specifying a particular tag on the bucket we will automatically turn event-based protection on for that bucket(s).
We do this in the every 30 minute refresh cycle where we refresh the bucket catalog for bucket characteristics, new or removed buckets and now for the protection of those buckets.
Any time you enable a bucket for scanning, you will be asked if you would like to scan all the existing objects in that bucket as well. You can also trigger a
scan existing objectsany time from the
Actionsdrop down button at the top of the bucket list as well. In the scenario above, you turned on two buckets and were first prompted to select network settings. Once that is complete you will be presented the
Scan Existing Objectspopup. If you'd prefer not to scan existing objects at this time you can simply click
Don't Scanand this popup will be closed. If you do prefer to scan your existing objects as well, you select some or all of the buckets you had enabled for event-based scanning and then click the
Scan Selectedbutton. You must select the disclaimer checkbox as well before the button will be enabled.
Buckets being turned on for event-based scanning is not a pre-requisite for scanning existing objects. Whether the bucket is turned on or off and whether it has a conflict or not, a
scan existingcan be triggered on it. More than one
scan existingcan be triggered on a bucket if so desired (picture two or more distinct, non-contiguous date ranges needed). Triggering a
scan existingfor a bucket or buckets is simple on this page. Select one or many buckets using the
Select Allbutton or the checkboxes and then select
Scan Existing Objectsfrom the
Actionsbutton. This will pull up the same popup as seen above.
Scan Existing button
Scan Existing popup
For a time window, the default is beginning of time through current time. The intends to scan all objects within the bucket. The date picker allows you to select from one of the present values as well as create a completely custom range.
Custom Rangeallows you to select down to specific hours and minutes of the day if needed.
The instructions for this popup are collapsed by default. Expand for detailed steps.
run task(temporary tasks) is spun up for each bucket to crawl the objects and place matching files into a temporary SQS Queue. Each run task will shut down as crawling is completed. A new set of
run taskswill be spun up to to process the queue entries. We will automatically attempt to spin up the number of
run tasksrequired to process the queue in ~1 hour.
On-demand and Scheduled scan-existing scans are considered Jobs and can be tracked on the Monitoring → Jobs page.
In addition to the on-demand scanning that Scan Existing offers, you can create schedules to scan your buckets as well. You simply need to select the buckets you would like to scan and then define the scan frequency as desired.
Select the buckets and then from the action menu click on
Create Schedulemodal will pop up to allow you to review selected buckets and define the scan frequency (daily, weekly, monthly, yearly).
Creating a schedule from this page, does NOT actually activate the schedule. You must go to the Scheduled Scans page and then activate the schedule. Only at that time will the schedule execute and protect your buckets as defined.
"Protection" can mean multiple things. In regards to Antivirus for Amazon S3 it means: real-time scanning (event-based), schedule scanning (pre-defined schedules based) and on-demand (pick a bucket(s) and time window whenever you want). The bucket catalog shown on this page will easily reflect how a bucket is being protected with real-time or scheduled icons as seen below. Green is protected and red is not. Schedules can be yellow to reflect a bucket is in a schedule, but that schedule is not currently active.
- Real-time Protection On -
- Real-time Protection Off -
- Protected by Active Schedule -
- Part of an Inactive Schedule -
- Not a Part of any Schedule -
- Protected by another Cloud Storage Security Antivirus for Amazon S3 console -
On top of these main statuses, you may have buckets that are in some form of conflict for scanning. There are three conflicts that can arise represented by two colors: yellow and red. The yellow color indicates a conflict we can fix, but want to make you aware of it in case there are considerations you need to make. The red color indicates one of two conflicts that we cannot automatically address. This will require you to intervene to enable scanning. Please check out the Trouble Shooting - Address Conflicts section for detailed steps on how to resolve these.
On top of those main conflicts, you can see a purple color tied to the primary account or a linked account if there is another Antivirus for Amazon S3 console running and protecting buckets.
Every field in the table can be searched upon utilizing the
Searchfield at the top of the page. Want to see only the buckets in 'east' search for that. Want all of the buckets that have a particular piece of text in their name, just type in that piece of text. You can search for multiple things as well separated by a space. Want to see all the buckets in
Productionaccount just add both of those in with a space between them.
There are some hidden terms that can be searched on:
Protection Status can be searched by either
Offas the toggle would indicate. You may find bucket names that one
onwithin the name that could throw the results slightly off. In this case, use column sort on Protection Status.
Bucket Conflicts can be searched for by using the word
conflictin the search field. This will return all the highlighted rows that reflect a potential event conflict.
publicwill identify all buckets that have some public aspects to them as seen in the Bucket Attributes above.
Searching on 'encrypt` will return all buckets that have a KMS key associated with them and identify whether the AgentRole has access to the key as seen in the Bucket Attributes above.
We also provide the ability to search leveraging regex within the search field. This gives you great flexibility to really narrow down exactly what you are looking for. Where as a general partial word specified in the Search field may pull back more rows than you'd like, the regex option will allow you to better pattern match.
For example, searching on
webinarreturns 5 matching buckets as seen here:
But, if I want just the "webinar" folders that end with "files", I could specify
Regex(webinar.*files)to get the two buckets that contain "webinar" and end with "files":
Another useful capability is that you can aggregate multiple individual searches to build a larger selected list. I can create a potentially complex regex or I can do multiple simple searches for my selections. Extending the example above, albeit a simple one, might look as follows.
webinarbuckets you want.
Notice the bottom summary line:
Showing 5 of 124 buckets - 2 selected
webinarfrom the search and enter
canadain place of it and select the canada bucket you want.
Now notice the bottom summary line:
Showing 1 of 124 buckets - 3 selected (2 not currently visible)
Your first search selections are still maintained as well as any subsequent search selections made. So you can build up your selected list very simply this way. This can be used for one off retro scanning (Scan Existing) as well as the basis for creating schedule based scans.
Search Account and Region
Search Public Status
Search with Regex