Skip to content

How to Deploy



Ensure you have properly subscribed to Cloud Storage Security Antivirus for Amazon S3 before you attempt to deploy the CloudFormation template. If you are not properly subscribed, the deployment will fail to start. Antivirus for Amazon S3 won't run because it will fail the entitlement check.

If you'd like to run the software outside the context of the Amazon Marketplace, please Contact Us to discuss.

Deploying Antivirus for Amazon S3 is accomplished by using a CloudFormation Template that will install the necessary infrastructure components as well as the required roles and permissions. This section will help you fill out and run the CloudFormation Template.

The CloudFormation Template will create the following resources:

ECS Fargate Cluster with 1 Service and Task
(This is used to run the Antivirus for Amazon S3 Management Console)

DynamoDB; AppConfig
(This is used to save data for the software)

IAM Roles and Policies
(These are used to run the software)

Cognito UserPool (Used for user management)

Once running, the Management Console will create the following resources:

Adds 1 Service and Task (Scanning Agents) to existing region cluster
(This is used to run the scanning agents that process the objects)

Adds 1 ECS Cluster, Service and Task in each additional region you scan buckets
(This is used to run the scanning agents in new regions)

SNS Topic, SQS Queue, S3 Bucket events
(These are used to keep track of the object work)


Launching the deployment template from the Marketplace Listing will default you to the us-east-1 region. If you'd like to deploy in a different region, please ensure to change regions before proceeding.

Supported regions for Console deployment:
US East (N. Virginia), US East (Ohio), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Singapore), EU (Frankfurt), EU (Ireland), and EU (London) AWS regions. Missing regions are a result as to where Amazon Cognito is supported

Step 1 - Quick Create Stack and Specify the Parameters

Stack Details - PAYG

Leave all the default settings except the following:

  1. You must select a VPC from the drop down list.
  2. You must select a Subnet A ID from the drop down list.


    The subnets you choose for A and B must either be able to offer a public IP or be on a network you can access. Without that, the console will run, but not be reachable.

  3. You must select a different Subnet B ID from the drop down list.


    YOU MUST SELECT A DIFFERENT SUBNET FROM THE ONE SELECTED IN Subnet A ID. If you select the same subnet, stack creation will fail. If you happen to pick the same value for each field, you will get a message as follows, please correct this before moving on.

    Subnet Validation

    Ensure both subnets you select belong to the vpc you have selected. It is also a good idea to pick subnets in different Availability Zones.

  4. You must select a Console Security Group CIDR Block. Specify your network access or set to "" to access the Antivirus for Amazon S3 Management Console from anywhere.

  5. For both the Console Configuration and the Agent Configuration, you must specify the proper vCPU:Memory ratio. The memory must be in the range of 2x to 8x of the vCPU.


    If the memory specified for the Console and Agent are not within the proper range, you will see the following:

    Spec Validations

    Please correct before moving forward.

  6. You must set a valid Email address.


    If you do not properly set the above 6 items, the stack creation will fail.


The Only Run Scanning Agents When Files Are In Queue? field can be selected to be more efficient and cost effective by only running agents when there is work to be done. You can read more about it here.

The Allow Access to All KMS Keys option is giving the solution the ability to use any KMS key only within the context of the Amazon S3 service. Permissions will be put in place so that we can decrypt and encrypt objects as needed during the scanning process. Antivirus for Amazon S3 will not be able to use the keys in any other way. Keeping this as a Yes should address the unscannable objects issue addressed in the Trouble Shooting section.

Step 2 - Review CloudStorageSec-AV-for-S3

Review Stack

Check I acknowledge that AWS CloudFormation might create IAM resources with custom names. under Capabilities.
Click Create Stack at the bottom of the screen.

Step 3 - Trouble Shoot if needed

The stack you just created, CloudStorageSec-AV-for-S3 will have a status of CREATE_IN_PROGRESS. Wait for this to change to CREATE_COMPLETE.

Submit Stack

When finished: Submit Stack

If the stack creation fails, click here to open the Trouble Shooting section.

Step 4 - Console Access

Console Access URL Once the stack creation completes, click the Output tab. The top row in the table will have the URL for the Antivirus for Amazon S3 Management Console. It will be in the format of https://<accountID-appID>


It may take a few minutes for DNS to propagate. If you are unable to load the URL provided in the email (and/or CloudFormation Outputs) then wait a few minutes. If it continues to be an issue, check the console access trouble shooting to see if it is another issue.

You have completed creating the stack for Cloud Storage Security Antivirus for Amazon S3. Go to the How to Configure section to start setting up the anti-malware detection.

Last update: December 1, 2020