Getting Started

Below are some of the most common questions related to getting started with our products.

Do my objects ever leave my account?

No. Antivirus for Amazon S3 is designed and deployed in such a way that your Amazon S3 objects never leave your account(s).

If you are utilizing Linked Accounts, the objects will be pulled from Account X to the deployed account for scanning. But these are maintained within your realm of linked accounts.

Is there a free trial?

Yes, we offer a 30 day period of time or up to 500GB of scanning (whichever comes first) to try the product. Trial extensions may be requested, please Contact Us.

Start a Trial

Like AWS' trial policy, the trial is good for only one deployment within an account. Any following deployments will result in immediate charges for any data scanned by those deployments. The initial deployment will remain within the trial period and data.

You can see the status of your trial on the Config->License Management page. You will also be warned with a banner warning on the main dashboard when you are within 7 days of the trial ending or within 20% of the trial data allotment.

You can also subscribe to the Proactive Notifications to specifically receive emails when the free trial is approaching its end due to date or data.

How do you charge for the product?

We leverage a true consumption model. We charge for each gigabyte you scan with the product. This may be from one object or one thousand objects.

Review the public pricing on the AWS Marketplace Listing. Please Contact Us for custom pricing.

Do you have a detailed deployment guide?

You can follow allow the Getting Started contained within the Help Docs you are currently within or you can download the PDF Deployment Guide if that is easier to follow. There are a number of topics that are covered in the deployment guide (more details on TCO and recovery strategies if ever needed) that you will not find within the Help Docs.

Detailed Deployment Guide

Do you support AWS GovCloud?

Yes, we now have an option to deploy Antivirus for Amazon S3 inside of GovCloud. You can leverage the BYOL and GovCloud Listing in AWS Marketplace or launch the template directly from here.

AWS Marketplace doesn't currently support metering for Fargate containers inside of GovCloud, so you must purchase a license (pre-purchase GBs) to operate within GovCloud. Please contact us at sales@cloudstoragesec.com or one of our partners to procure a license.

Amazon Cognito is only supported in GovCloud US West, so the console must be deployed in this region. Scanning can be done in West or East, but the console deployment must be done in West.

Is this software as a service (SaaS)?

No, this solution is installed within your AWS account. Please refer to the Architecture section for more details.

We are exploring a SaaS version for those who are willing, but there is still a majority of companies who want their objects to stay "within their 4 walls" (in this case their own VPC) for the scanning process. Cloud Storage Security has delivered the solution to meet this initial need. We do see SaaS as a viable alternative for those that are willing so we are pursuing it.

There is a mechanism where we could offer this to you as a SaaS today. If interested, please contact us. If you're willing to work with us, we can explore delivering it to you this way.

Which browsers are supported?

Any modern browser of your choice is supported (Chrome, Firefox, Edge, Safari, etc.)

Where can I get the CloudFormation Template to deploy the product?

As seen in the How to Subscribe section, you'll be directly linked to the deployment CloudFormation Template. You can go to Manage Subscriptions within the AWS Console and launch additional software from there.

Templates:

PAYG Deployments:
- Download the CloudFormation Template here or launch it directly here.
BYOL or GovCloud Deployments:
- Use this Marketplace Listing: BYOL and GovCloud Listing
- Download the Cloudformation Template here or launch the template directly from here.
Transfer Family Integrated Deployments:
- Use this Marketplace Listing: Antivirus for Managed File Transfers
- Download the Cloudformation Template here or launch the template directly from here.
Cross-Account Role:
- Download the CloudFormation Template here or launch it directly here.

You will be able to launch and deploy the Antivirus for Amazon S3 product from the above templates, but the product will not run unless you are subscribed.

What do all the CloudFormation parameters mean?

Parameter Description

Parameter	Description
Stack Name	Name to identify this particular stack
Network Configuration
Virtual Private Cloud (VPC) ID	Choose which VPC the Console should be deployed to
Subnet A ID	Choose the first Subnet the Console could be deployed to.
Subnet B ID	Choose the second Subnet the Console could be deployed to. *Make sure the second subnet is different from the first
Console Security Group CIDR Block	The IP address range that can access the Console management website (e.g. X.X.X.X/24 for a single given IP, 0.0.0.0/0 for open access). It is always a good idea to specify a network tied to your company as opposed to being wide open.
Console Configuration
Console vCPU	CPU desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed.
Console Memory	Memory desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed. Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection. Example: .5vCPU, then memory must be between 1GB and 4GB in memory.
UserName	Name used to login to the Management Console.
Email	This email address will be sent the initial password and all subsequent `password reset` requests. Ensure you can access this email address.
Console Auto Assign Public IP	Allow public IP addresses to be assigned to the Console Enabled - assign public IP Disabled - do not assign public IP Note: If you disable, your must still have access to the VPC private network or you will be unable to access the console
Enable CloudTrail Lake	Choose whether you want audit logs sent to CloudTrail Lake.
DynamoDB Point In Time Recovery	Choose whether to enable point in time recovery (PTIR) for DynamoDB tables.
Allow Console To Run Storage Assessment	Choose whether you would like Storage Assessment to run within your console, providing details for your S3 deployment.
Buckets to Protect	Enter any pre-existing buckets that you would like to have event-based protection enabled on when the console is launched. For multiple buckets, separate bucket names by commas (e.g. bucket1,bucket2,bucket3). Note that this only works for buckets in the same region as this deployment.
Agent Configuration
Agent vCPU	CPU desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. Note: There is no reason to increase the agent vCPU at this time. 1 vCPU is enough for scanning at this time
Agent Memory	Memory desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. Note: At this time the default of 3GB memory is a good working amount. From testing, we do not see a need to go up. You'll scale out with more aents running before scaling up provides more value. In the future, tweaks may be made where more memory makes sense. Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection. Example: 1vCPU, then memory must be between 2GB and 8GB in memory.
Agent Scanning Engine	Choose the AV Engine to execute scans.
Multi-Engine Scanning Mode	Choose how many engines you would like to scan your files: Disabled will use a single engine. All will scan every file with both engines. LargeFiles will scan files larger than 2GB using the Sophos engine.
Agent Disk Size	Choose the size of the disk used to scan files. Any files discovered that are larger than the Agent Disk Size will try to be scanning by the Large Scanning File process (if enabled). This setting only applies when using the Sophos scanning engine.
Enable Large File Scanning	Choose whether you would like an EC2 instance launched to scan files that are too large to be processed by the normal agent.
Extra Large File Disk Size	Choose the size of the disk used to scan large files. If a file is larger than the disk it will be classified as “unscannable”.
Extra Large File EC2 Tags	Enter an optional comma-separated list of key=value tags to place on extra large file scanning EC2 instances.
Allow Access to All KMS Keys	Allows the solution access to any KMS key only within the context of the Amazon S3 service. Permissions will be put in place so that we can decrypt and encrypt objects as needed during the scanning process.
Agent Auto Assign Public IP	Allow public IP addresses to be assigned to the scanning agents Enabled - assign public IP Disabled - do not assign public IP Note: The agent has no real need for a public IP (unlike the Console for access), but the network it resides in must have "public" routing or enough routing to execute AWS API calls. This could be through a VPC Endpoint for supported services or by locating behind a NAT Gateway. Without that routing the agent will fail to spin up
Quarantine objects into the primary account for infections in linked accounts?	For linked accounts, choose whether you would like quarantine buckets created within the primary account to capture infected files.
Expire (delete) quarantined objects after a specified number of days?	Choose how many days quarantined files will be retained before they are deleted. Enter 0 if you would like auto-delete disabled.
Agent Auto-Scaling Configuration
Only Run Scanning Agents When Files are in Queue?	Smart Scan - Yes/No: This will impact how the scanning agents will run. The default of `No` will deploy and run the minimum number of agents defined below 24x7 so you have an agent(s) up and running and ready to scan. Setting Smart Scan to `Yes` will require you to set the Minimum Number of Running Agents to `0` and agents will spin up only when there is work to do in the queue that surpasses the Number of Messages in Queue to Trigger Auto-Scaling. When select `Yes`, the number of messages in queue should typically be set to a smaller number like `1`. This would indicate any time items come into the queue, meaning any time there is work to do, spin up an agent and scan it. But, when there is no work to be done it will spin all agents down for efficiencies. You can read more about this here.
Minimum Number of Running Agents Per Region	Minimum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details. Setting this above 1 will incur more infrastructure costs as more agents will be running full time
Maximum Number of Running Agents Per Region	Maximum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details. Default value of 12 is an arbitrary number at this time, change this as needed. Smaller if you want to ensure to never scale above a certain number (to lock down on possible costs) and larger if you need more agents running to process the load
Number of Messages in Queue to Trigger Agent Auto-Scaling	The number of entries that should sit in the queue for at least 1 minute before more Agents are triggered to scale-up. Based on how long it is taking to process the individual objects, you may make this number larger or smaller so you don't have too much scaling activity. Refer to the Sizing Discussion for more details.
Optional Load Balancer Configuration
Use a Load Balancer for the Console?	A Yes/No answer determining whether or not to deploy a load balancer
SSL Certificate ARN	In order to create a secure connection, you must provide an SSL certificate to register with the load balancer. This can be one created inside AWS Certificate Manager or from a third party
Load Balancer Subnet A ID	Choose the first Subnet the Load Balancer could be deployed to. NOTE: The load balancer subnets need to reside in the same Availability Zones as the Console subnets for them to properly communicate.
Load Balancer Subnet B ID	Choose the second Subnet the Load Balancer could be deployed to. Make sure the second subnet is different from the first. NOTE:* The load balancer subnets need to reside in the same Availability Zones as the Console subnets for them to properly communicate.
Register a Subdomain on Route53	A Yes/No answer for whether the domain associated to the load balancer is managed by Route53. If yes, then you can directly register it from the CloudFormation deployment
Hosted Zone Name	The Route53 hosted zone value for the domain. i.e. my-hosted-domain.com
Subdomain	The value created as a subdomain on the hosted zone for application access. i.e. av-for-s3.my-hosted-domain.com
Info Opt-Out	The option to not register with our Route53 and check in with our Free Trial. This is only available with the Load Balancer deployment option, otherwise we couldn't ensure access to your Console. Note: As a result of not communicating with our backend service, your Free Trial will be shown as having ended. Follow these instructions to get your trial reinstated.
Optional Custom Hosting of Docker Container Images
Custom ECR Account	The value placed here should be the AWS Account Number where you are hosting the Console and Scanning Agent images. Note: When this field is given a value, the Console and Scanning Agents will only look to the specified account repo for updates (and for the initial install). You are responsible for updating this repo
Optional AWS Resource Renaming
Various Resources	Rename deployed resources to match your defined naming scheme. Resources to Rename (Prefix): DynamoDB Tables Quarantine Bucket Name AppConfig Application AppConfig Environment AppConfig Deployment Strategy AppConfig Document AppConfig Document Schema AppConfig Document Role AppConfig Document Policy User Pool User Pool Client User Pool Role User Pool Policy Console Task Role Console Task Policy Agent Task Role Agent Task Policy Cross Account Role Cross Account Policy Execution Role Cluster Name Service Name Task Definition Console Security Group Load Balancer Name Target Group Name Load Balancer Group Name Parameters Notifications Topic Event Based Scan Topic Event Based Scan Queue Retro Scan Queue Event Agent Task Event Agent Service Retro Agent Task Retro Agent Service Large Event Queue Alarm Small Event Queue Alarm Decrease Agent Scaling Policy Increase Agents Scaling Policy Retro Queue Not Empty Alarm Retro Queue Empty Alarm Remove Retro Agents Scaling Policy Set Retro Agent Scaling Policy Agent Security Group Name
Transfer Family Specific Parameters
Existing Transfer Family Server	Set this option to ‘No’ and a Transfer Family Server, and corresponding S3 bucket will automatically be deployed for you.
Quick Start Disable Auto-Protect	When set to 'No', the bucket which is created to store files uploaded to the Transfer Server is automatically protected by the console.

Stack Name

Name to identify this particular stack

Network Configuration

Virtual Private Cloud (VPC) ID

Choose which VPC the Console should be deployed to

Subnet A ID

Choose the first Subnet the Console could be deployed to.

Subnet B ID

Choose the second Subnet the Console could be deployed to. *Make sure the second subnet is different from the first

Console Security Group CIDR Block

The IP address range that can access the Console management website (e.g. X.X.X.X/24 for a single given IP, 0.0.0.0/0 for open access).

It is always a good idea to specify a network tied to your company as opposed to being wide open.

Console Configuration

Console vCPU

CPU desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed.

Console Memory

Memory desired for the Console container. There isn't much overhead to this container, so try the minimums and grow up as needed.

Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection.

Example: .5vCPU, then memory must be between 1GB and 4GB in memory.

UserName

Name used to login to the Management Console.

This email address will be sent the initial password and all subsequent password reset requests.

Ensure you can access this email address.

Console Auto Assign Public IP

Allow public IP addresses to be assigned to the Console

Enabled - assign public IP
Disabled - do not assign public IP

Note: If you disable, your must still have access to the VPC private network or you will be unable to access the console

Enable CloudTrail Lake

Choose whether you want audit logs sent to CloudTrail Lake.

DynamoDB Point In Time Recovery

Choose whether to enable point in time recovery (PTIR) for DynamoDB tables.

Allow Console To Run Storage Assessment

Choose whether you would like Storage Assessment to run within your console, providing details for your S3 deployment.

Buckets to Protect

Enter any pre-existing buckets that you would like to have event-based protection enabled on when the console is launched.

For multiple buckets, separate bucket names by commas (e.g. bucket1,bucket2,bucket3).

Note that this only works for buckets in the same region as this deployment.

Agent Configuration

Agent vCPU

CPU desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. Note: There is no reason to increase the agent vCPU at this time. 1 vCPU is enough for scanning at this time

Agent Memory

Memory desired for the Agent container. Sizing the Agents can vary based on load volumes, object sizes or scan windows. Refer to the Sizing Discussion for more details. Note: At this time the default of 3GB memory is a good working amount. From testing, we do not see a need to go up. You'll scale out with more aents running before scaling up provides more value. In the future, tweaks may be made where more memory makes sense. Memory Requirement: Allowed memory size is a factor of the selected vCPU size. You must pick a value that is 2x - 8x of the vCPU selection. Example: 1vCPU, then memory must be between 2GB and 8GB in memory.

Agent Scanning Engine

Choose the AV Engine to execute scans.

Multi-Engine Scanning Mode

Choose how many engines you would like to scan your files:

Disabled will use a single engine.
All will scan every file with both engines.
LargeFiles will scan files larger than 2GB using the Sophos engine.

Agent Disk Size

Choose the size of the disk used to scan files. Any files discovered that are larger than the Agent Disk Size will try to be scanning by the Large Scanning File process (if enabled).

This setting only applies when using the Sophos scanning engine.

Enable Large File Scanning

Choose whether you would like an EC2 instance launched to scan files that are too large to be processed by the normal agent.

Extra Large File Disk Size

Choose the size of the disk used to scan large files.

If a file is larger than the disk it will be classified as “unscannable”.

Extra Large File EC2 Tags

Enter an optional comma-separated list of key=value tags to place on extra large file scanning EC2 instances.

Allow Access to All KMS Keys

Allows the solution access to any KMS key only within the context of the Amazon S3 service. Permissions will be put in place so that we can decrypt and encrypt objects as needed during the scanning process.

Agent Auto Assign Public IP

Allow public IP addresses to be assigned to the scanning agents

Enabled - assign public IP
Disabled - do not assign public IP

Note: The agent has no real need for a public IP (unlike the Console for access), but the network it resides in must have "public" routing or enough routing to execute AWS API calls. This could be through a VPC Endpoint for supported services or by locating behind a NAT Gateway. Without that routing the agent will fail to spin up

Quarantine objects into the primary account for infections in linked accounts?

For linked accounts, choose whether you would like quarantine buckets created within the primary account to capture infected files.

Expire (delete) quarantined objects after a specified number of days?

Choose how many days quarantined files will be retained before they are deleted. Enter 0 if you would like auto-delete disabled.

Agent Auto-Scaling Configuration

Only Run Scanning Agents When Files are in Queue?

Smart Scan - Yes/No: This will impact how the scanning agents will run. The default of No will deploy and run the minimum number of agents defined below 24x7 so you have an agent(s) up and running and ready to scan. Setting Smart Scan to Yes will require you to set the Minimum Number of Running Agents to 0 and agents will spin up only when there is work to do in the queue that surpasses the Number of Messages in Queue to Trigger Auto-Scaling. When select Yes, the number of messages in queue should typically be set to a smaller number like 1. This would indicate any time items come into the queue, meaning any time there is work to do, spin up an agent and scan it. But, when there is no work to be done it will spin all agents down for efficiencies. You can read more about this here.

Minimum Number of Running Agents Per Region

Minimum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details.

Setting this above 1 will incur more infrastructure costs as more agents will be running full time

Maximum Number of Running Agents Per Region

Maximum number of Agents you'd like running. This will be determined by scan volumes and scan windows. Refer to the Sizing Discussion for more details.

Default value of 12 is an arbitrary number at this time, change this as needed. Smaller if you want to ensure to never scale above a certain number (to lock down on possible costs) and larger if you need more agents running to process the load

Number of Messages in Queue to Trigger Agent Auto-Scaling

The number of entries that should sit in the queue for at least 1 minute before more Agents are triggered to scale-up. Based on how long it is taking to process the individual objects, you may make this number larger or smaller so you don't have too much scaling activity. Refer to the Sizing Discussion for more details.

Optional Load Balancer Configuration

Use a Load Balancer for the Console?

A Yes/No answer determining whether or not to deploy a load balancer

SSL Certificate ARN

In order to create a secure connection, you must provide an SSL certificate to register with the load balancer. This can be one created inside AWS Certificate Manager or from a third party

Load Balancer Subnet A ID

Choose the first Subnet the Load Balancer could be deployed to.

NOTE: The load balancer subnets need to reside in the same Availability Zones as the Console subnets for them to properly communicate.

Load Balancer Subnet B ID

Choose the second Subnet the Load Balancer could be deployed to.

*Make sure the second subnet is different from the first.

NOTE: The load balancer subnets need to reside in the same Availability Zones as the Console subnets for them to properly communicate.

A Yes/No answer for whether the domain associated to the load balancer is managed by Route53. If yes, then you can directly register it from the CloudFormation deployment

Hosted Zone Name

The Route53 hosted zone value for the domain. i.e. my-hosted-domain.com

Subdomain

The value created as a subdomain on the hosted zone for application access. i.e. av-for-s3.my-hosted-domain.com

Info Opt-Out

The option to not register with our Route53 and check in with our Free Trial. This is only available with the Load Balancer deployment option, otherwise we couldn't ensure access to your Console. Note: As a result of not communicating with our backend service, your Free Trial will be shown as having ended. Follow these instructions to get your trial reinstated.

Optional Custom Hosting of Docker Container Images

Custom ECR Account

The value placed here should be the AWS Account Number where you are hosting the Console and Scanning Agent images.

Note: When this field is given a value, the Console and Scanning Agents will only look to the specified account repo for updates (and for the initial install). You are responsible for updating this repo

Optional AWS Resource Renaming

Various Resources

Rename deployed resources to match your defined naming scheme. Resources to Rename (Prefix):

DynamoDB Tables
Quarantine Bucket Name
AppConfig Application
AppConfig Environment
AppConfig Deployment Strategy
AppConfig Document
AppConfig Document Schema
AppConfig Document Role
AppConfig Document Policy
User Pool
User Pool Client
User Pool Role
User Pool Policy
Console Task Role
Console Task Policy
Agent Task Role
Agent Task Policy
Cross Account Role
Cross Account Policy
Execution Role
Cluster Name
Service Name
Task Definition
Console Security Group
Load Balancer Name
Target Group Name
Load Balancer Group Name
Parameters
Notifications Topic
Event Based Scan Topic
Event Based Scan Queue
Retro Scan Queue
Event Agent Task
Event Agent Service
Retro Agent Task
Retro Agent Service
Large Event Queue Alarm
Small Event Queue Alarm
Decrease Agent Scaling Policy
Increase Agents Scaling Policy
Retro Queue Not Empty Alarm
Retro Queue Empty Alarm
Remove Retro Agents Scaling Policy
Set Retro Agent Scaling Policy
Agent Security Group Name

Transfer Family Specific Parameters

Existing Transfer Family Server

Set this option to ‘No’ and a Transfer Family Server, and corresponding S3 bucket will automatically be deployed for you.

Quick Start Disable Auto-Protect

When set to 'No', the bucket which is created to store files uploaded to the Transfer Server is automatically protected by the console.

PreviousFrequently Asked Questions NextProduct Functionality

Last updated 4 months ago