Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Bucket Protection Table
  • Bucket Attributes
  • Scan new objects uploaded to a bucket
  • Automating Bucket Protection
  • Scan Pre-existing Objects
  • Scheduled Scanning
  • Protection Statuses
  • Event-based Protection
  • Schedules Status
  • Conflicted Buckets
  • Search
  • Special Search Terms
  • Additional Search Capabilities
  • Aggregate search terms
  • Search Examples
  • Filtering
  1. Console Overview
  2. Malware Scanning
  3. AWS

Buckets

PreviousAWSNextAmazon EBS Volumes

Last updated 14 days ago

Bucket Protection Table

The Bucket Protection table is a complete list of the current status of all buckets across all regions within the AWS account the console is running in as well as active linked accounts.

We've seen configuration for this page covered in the section, but we'll get into more details here

The bucket list is refreshed every 30 minutes in the background, but if you have recently created new buckets or deleted existing, you can force a refresh with the Actions --> Refresh Buckets menu item at the top of the buckets list.

You may have noticed the Object Count and Total Size (GB) values for each bucket. These are not real-time reliable numbers. This data is pulled from CloudWatch Metrics for S3 Buckets. Amazon only updates these metrics once per day at the end of each day. So the numbers you are seeing are always a day old, but can give you a good feel.

Bucket Attributes

    • Some of the Block Public Access checks are turned off, but there isn't an ACL or a Bucket Policy set to make the bucket public.

    • Some of the Block Public Access checks are turned off and there is an ACL or a Bucket Policy set to make the bucket public.

    • The tooltip will give you details on the ACL settings.

You will not be able to turn on protection for a bucket or perform a Scan Existing if the AgentRole does not have permission to the key

Scan new objects uploaded to a bucket

Select Visible means all rows available from the filtered search. If no search criteria has been entered, then all buckets in your list will be selected. If you have filtered the list down with a search, then only those search results will be selected.

This is a great way to find the set of buckets you want to take a batch action against and trigger the action.

You can chain sets together by filtering to select a few buckets, filter with different criteria and select a few buckets. Both selected sets will remain selected. This allows you to take the same action against different filtered sets.

Selecting Turn On Selected from the Actions drop down button yields the following popup where you must configure a VPC and Subnet(s) for any regions that are not already setup.

We now show Public / Private next to each VPC to indicate whether or not the VPC is tied to an Internet Gateway and therefor likely to have an outbound path. We also show Public / Restricted next to each Subnet to indicate whether each Subnet appears to have outbound routing.

Automating Bucket Protection

We do this in the every 30 minute refresh cycle where we refresh the bucket catalog for bucket characteristics, new or removed buckets and now for the protection of those buckets.

Scan Pre-existing Objects

Any time you enable a bucket for scanning, you will be asked if you would like to scan all the existing objects in that bucket as well. You can also trigger a scan existing objects any time from the Actions drop down button at the top of the bucket list as well. In the scenario above, you turned on two buckets and were first prompted to select network settings. Once that is complete you will be presented the Scan Existing Objects popup. If you'd prefer not to scan existing objects at this time you can simply click Don't Scan and this popup will be closed. If you do prefer to scan your existing objects as well, you select some or all of the buckets you had enabled for event-based scanning and then click the Scan Selected button. You must select the disclaimer checkbox as well before the button will be enabled.

Buckets being turned on for event-based scanning is not a pre-requisite for scanning existing objects. Whether the bucket is turned on or off and whether it has a conflict or not, a scan existing can be triggered on it. More than one scan existing can be triggered on a bucket if so desired (picture two or more distinct, non-contiguous date ranges needed). Triggering a scan existing for a bucket or buckets is simple on this page. Select one or many buckets using the Select All button or the checkboxes and then select Scan Existing Objects from the Actions button. This will pull up the same popup as seen above.

For a time window, the default is beginning of time through current time. The intends to scan all objects within the bucket. The date picker allows you to select from one of the present values as well as create a completely custom range. Custom Range allows you to select down to specific hours and minutes of the day if needed.

You can add specific prefixes to crawl, limiting the scan to only those paths inside the S3 bucket. When you run the 'Scan Pre-Existing Objects' option for the bucket, you can also choose 'Only Scan Objects that Have Not Already Been Scanned' to avoid rescanning files that were already processed:

The instructions for this popup are collapsed by default. Expand for detailed steps.

A Fargate run task (temporary tasks) is spun up for each bucket to crawl the objects and place matching files into a temporary SQS Queue. Each run task will shut down as crawling is completed. A new set of run tasks will be spun up to to process the queue entries. We will automatically attempt to spin up the number of run tasks required to process the queue in ~1 hour.

Scheduled Scanning

Select the buckets and then from the action menu click on Create Schedule

The Create Schedule modal will pop up to allow you to review selected buckets and define the scan frequency (daily, weekly, monthly, yearly).

Protection Statuses

"Protection" can mean multiple things. In regards to Antivirus for Amazon S3 it means: real-time scanning (event-based), schedule scanning (pre-defined schedule based) and on-demand (pick a bucket(s) and scan immediately whenever you want).

The Shield Color Legend shown on this page will reflect how a bucket is being protected with event-based scanning as seen below.

Event-based Protection

A green shield means a bucket is protected and a red shield indicates a bucket is not protected.

Schedules Status

The schedule icons shown below will reflect whether a bucket is associated with a schedule and whether that schedule is active or not.

Conflicted Buckets

As of v7.00.000 we automatically use EventBridge to resolve any bucket conflicts.

On top of these main statuses, you may have buckets that are in some form of conflict for scanning. As of v7.00.00 we automatically resolve any conflicted buckets using EventBridge.

If a bucket is conflicted it will have a shield with a slash through it. If a bucket is protected by event bridge it will have a green shield with a star inside of it.

You can protect a conflicted bucket by clicking on the shield associated with the bucket. You will receive a prompt notifying you that we can protect this bucket with EventBridge and additional charges from EventBridge will be incurred. If you select Turn On your bucket will have event-based scanning enabled (using EventBridge).

If Protect with Event Bridge is not enabled we will protect buckets using the "best choice". If the bucket can be protected with the S3 Event Notification we will do so, but if conflicted we will fail over to Event Bridge.

Along with these main conflicts, you can see a purple colored shield associated with a bucket if there is another Antivirus for Amazon S3 console running and protecting that bucket.

If you'd like to protect it with a different console you'll first need to disable protection on that bucket inside the console that is already protecting it.

Search

Every field in the table can be searched upon utilizing the Search field at the top of the page. Want to see only the buckets in 'east' search for that. Want all of the buckets that have a particular piece of text in their name, just type in that piece of text. You can search for multiple things as well separated by a space. Want to see all the buckets in us-east-1 for the Production account just add both of those in with a space between them.

Special Search Terms

There are some special terms that you can search on:

  1. Public

  2. Encrypt

  3. Conflict

  4. Protected

Protection Status can be searched by Protected. You may find bucket names that one protected within the name which could throw the results slightly unprotected. In this case, use column sort on Protection Status.

Bucket Conflicts can be searched for by using the word conflict in the search field. This will return all the highlighted rows that reflect a potential event conflict.

Additional Search Capabilities

We also provide the ability to search leveraging regex within the search field. This gives you great flexibility to really narrow down exactly what you are looking for. Whereas a general partial word specified in the Search field may pull back more rows than you'd like, the regex option will allow you to better pattern match.

But, if you want a specific set of buckets that starts with "has" folders that end with "it", we could specify Regex(has.*it) to get the two buckets that contain "has" and end with "it":

Aggregate search terms

Another useful capability is that you can aggregate multiple individual searches to build a larger selected list. We can create a potentially complex regex or we can do multiple simple searches for our selections. Extending the example above, albeit a simple one, might look as follows.

Search for and select the buckets you want. In this example, we are searching for buckets named classification.

Notice the bottom summary line: Showing 7 of 896 buckets - 1 Selected

Clear classification from the search and enter eu in place of it and select the bucket(s) you want.

Now notice the bottom summary line: Showing 51 of 896 buckets - 3 Selected (1 not currently visible)

Search Examples

Filtering

Next to the Select Visible button, there is a Show button that lets you search and filter buckets based on the following options:

  • Show all buckets

  • Show unprotected buckets (Red Shield)

  • Show protected buckets (Green Shield)

  • Show buckets protected by another console (Purple Shield)

  • Show buckets protected by schedules (Watch icon)

Notice the Account identifier shows as Primary. This represents the default account you deployed the solution in. If you for cross-account scanning, you will see a different identifier (the nickname you gave it) for those buckets that come from other accounts.

We check certain attributes related to buckets to give you information pertinent to setting up protection. As a result, you may notice icons next to the bucket names. The two main aspects we check now are public status and the encryption status. We want you to be informed on which buckets are public and how they are public. We also want to stop you from scanning whole buckets of encrypted objects when we don't have permissions to the key to decrypt those objects. Giving the AgentRole will solve this issue.

when bucket is capable of being public, but not actually public.

when bucket is truly public via ACL or Bucket Policy.

when KMS encryption enabled on the bucket and the AgentRole does not have permission to the key.

Follow the for how to enable the AgentRole with the key.

when KMS encryption enabled on the bucket and the AgentRole does have permissions to the key.

You can enable buckets one at a time by selecting one checkbox or you can multi-select checkboxes or you can "select all" with the Select Visible button at the top of the page to create any kind of bucket set for enabling protection. For any buckets in new regions where you aren't currently scanning, you will be asked to configure the VPC and Subnet(s) as we saw in the . And if you select multiple new regions during the same action, you will be prompted to configure each one. Look to the steps below where two buckets are selected from two different regions (eu-central-1 and eu-north-1) not currently enabled.

The VPC and Subnets you choose must have an outbound path to reach Amazon ECR. If not, the agents will . As discussed in the troubleshooting topic, you can do with outbound access to the internet or through VPC Endpoints that give you access to ECR and API.

In addition to selecting buckets in a one or many fashion as described above, you can automate the protection of buckets by leveraging tag triggered protection. By specifying we will automatically turn event-based protection on for that bucket(s).

For more information check out the to define the tag we look for.

On-demand and Scheduled scan-existing scans are considered Jobs and can be tracked on the page.

To learn more retro scanning of your existing objects. More details can be found .

In addition to the on-demand scanning that offers, you can create schedules to scan your buckets as well. You simply need to select the buckets you would like to scan and then define the scan frequency as desired.

For more information, review the documentation page.

Creating a schedule from this page, does NOT actually activate the schedule. You must go to the page and then activate the schedule. Only at that time will the schedule execute and protect your buckets as defined.

Protected by Active Schedule -

Part of an Inactive Schedule -

Not a Part of any Schedule -

If you are running an older version (any version prior to v7.00.000) of our product please check out the section for detailed steps on how to resolve these conflicts.

You can also enable EventBridge globally for all buckets on the so you can use it by default anytime you protect a bucket.

If Protect with Event Bridge is enabled globally from then we will protect all selected buckets with Event Bridge without acknowledgment.

Searching on public will identify all buckets that have some public aspects to them as seen in the above.

Searching on encrypt will return all buckets that have a KMS key associated with them and identify whether the AgentRole has access to the key as seen in the above.

Your first search selection is still maintained as well as any subsequent search selections made. So you can build up your selected list very simply this way. This can be used for one off retro scanning () as well as the basis for creating .

link accounts
permissions to the key
trouble shooting
never boot properly
Monitoring → Jobs
Scheduled Scans
Trouble Shooting - Address Conflicts
Scan Settings
Scan Settings
Scan Existing
Bucket Attributes
Bucket Attributes
schedule based scans
Scan Existing
here
a particular tag on the bucket
Console Settings page
possibly public lock
truly public lock
kms encryption no permissions
kms encryption with permissions
Green clock
Red clock
Red clock
Scheduled Scans
Initial Configuration
Initial Configuration