Links

Architecture Overview

An in-depth overview of our architecture.

Architecture

The architecture seen below supports the object flow as described in the Object Scanning section both in a single region as well as across all regions supported. The Console region will have all components deployed to it. Any additional regions only require the scanning Agent(s) which will report back to the centrally located Console. In addition to this high-level architecture, you can get more details on routing and the public access required on the Deployment Details page.

Architecture - High-level Overview

Single Region Architecture
Multi-Region Architecture
Multi-Account Architecture
Single Region Architecture
Multi-Region Architecture
Multi-Account Architecture

Platform Services

While many services are used (ECS Fargate, App Config, CloudWatch, CloudFormation, DynamoDB, SNS, SQS, IAM) to deliver the Antivirus for Amazon S3 solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permissions respectively. These are the usual questions we get from customers:
  1. 1.
    How do I check the logs?
  2. 2.
    What are you doing behind the scenes (permissions wise)?
We wanted to make sure you had those bases covered with the information below.

CloudWatch LogGroup Overview

Log groups for the Console

AgentConfig
Logs of changes to agent configuration performed through the console.
2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2':
{
"region": "us-west-2",
"vpcId": "vpc-2f007457",
"subnets": [
{
"subnetId": "subnet-f6f91abc",
"availabilityZone": "us-west-2a",
"cidrBlock": "172.31.32.0/20"
},
{
"subnetId": "subnet-f0408688",
"availabilityZone": "us-west-2b",
"cidrBlock": "172.31.16.0/20"
}
]
}
2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}
Buckets
Logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets.
2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'
EcsConfig
Logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1
Metering
Logs of when metering is submitted, and any errors that may occur during metering.
2020-08-21T14:03:01.665-06:00 2020-08-21 20:03:01.6647|INFO|Metering|Metering submitted at 08/21/2020 20:03:01 for Dimension FreeTrial and Quantity 43
2020-08-21T15:03:00.950-06:00 2020-08-21 21:03:00.9503|INFO|Metering|Metering submitted at 08/21/2020 21:03:00 for Dimension FreeTrial and Quantity 43
2020-08-21T16:03:00.108-06:00 2020-08-21 22:03:00.1084|INFO|Metering|Metering submitted at 08/21/2020 22:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T17:03:00.290-06:00 2020-08-21 23:03:00.2903|INFO|Metering|Metering submitted at 08/21/2020 23:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T18:03:00.539-06:00 2020-08-22 00:03:00.5393|INFO|Metering|Metering submitted at 08/22/2020 00:03:00 for Dimension FreeTrial and Quantity 1
2020-08-21T19:03:00.782-06:00 2020-08-22 01:03:00.7815|INFO|Metering|Metering submitted at 08/22/2020 01:03:00 for Dimension GoFwdTier1 and Quantity 0
Metrics
Logs of when cache for Console dashboard chart data is updated.
2020-08-21T13:19:01.171-06:00 2020-08-21 19:19:01.1714|INFO|Metrics|Getting chart values for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:08.774-06:00 2020-08-21 19:19:08.7737|INFO|Metrics|Updated cache for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:09.932-06:00 2020-08-21 19:19:09.9316|INFO|Metrics|Getting chart values for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.971-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Updated cache for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.972-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.566-06:00 2020-08-21 19:19:10.5661|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.678-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Updated cache for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.679-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.680-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:11.355-06:00 2020-08-21 19:19:11.3548|INFO|Metrics|Updated cache for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
RetroScan
Logs of when retro scanning starts and finishes per bucket as well as when queue entries are added.
2020-08-13T11:37:05.123-06:00 2020-08-13 17:37:05.1233|INFO|RetroScan|Starting to crawl bucket 'webinar-other-account-bucket-2' in region 'us-east-1' for account '7xxxxxxxxxx7'
2020-08-13T11:37:05.187-06:00 2020-08-13 17:37:05.1871|INFO|RetroScan|Fetching next set of objects from 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T11:37:05.247-06:00 2020-08-13 17:37:05.2463|INFO|RetroScan|Finished crawling bucket 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T12:26:59.689-06:00 2020-08-13 18:26:59.6883|INFO|RetroScan|Starting to crawl bucket 'css-webinar-existing-files' in region 'us-east-1' for account '7xxxxxxxxxx8'
2020-08-13T12:26:59.712-06:00 2020-08-13 18:26:59.7125|INFO|RetroScan|Fetching next set of objects from 'css-webinar-existing-files' in region 'us-east-1'
2020-08-13T12:26:59.774-06:00 2020-08-13 18:26:59.7742|INFO|RetroScan|Sending message to queue 'https://sqs.us-east-1.amazonaws.com/7xxxxxxxxxx8/CloudStorageSecRetroQueu
Subdomain
Logs of each time the console is assigned a new IP and when the subdomain is renamed.
2020-08-17T13:03:28.291-06:00 2020-08-17 19:03:28.2911|INFO|Subdomain|Updating IP address for console subdomain
2020-08-17T13:03:32.106-06:00 2020-08-17 19:03:32.1056|INFO|Subdomain|Updated IP address for console subdomain
2020-08-17T13:16:49.080-06:00 2020-08-17 19:16:49.0797|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:13.256-06:00 2020-08-17 19:26:13.2559|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:20.703-06:00 2020-08-17 19:26:20.7027|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:07.726-06:00 2020-08-17 19:28:07.7258|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:10.089-06:00 2020-08-17 19:28:10.0888|INFO|Subdomain|Setting console subdomain to 'preview'
2020-08-17T13:28:13.710-06:00 2020-08-17 19:28:13.7098|INFO|Subdomain|Set console subdomain to 'preview'
System
Logs of general Console system information and errors and the return of the entitlement verification.
2020-08-21T13:25:58.374-06:00 2020-08-21 19:25:58.3713|INFO|System|Entitlement Verified.
Updates
Logs of what updates are available and when an update is being performed.
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecAgentService-pk913wa
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|CloudStorageSecAgentService-pk913wa is version v3.01.003
2020-08-21T13:19:00.533-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecConsoleService-pk913wa
2020-08-21T13:19:00.585-06:00 2020-08-21 19:19:00.5847|INFO|Updates|CloudStorageSecConsoleService-pk913wa is version v3.02.005
2020-08-21T13:19:00.586-06:00 2020-08-21 19:19:00.5865|INFO|Updates|Looking for minor or patch update of CloudStorageSecAgentService-pk913wa greater than v3.01.003
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|Looking for minor or patch update of CloudStorageSecConsoleService-pk913wa greater than v3.02.005
2020-08-21T13:19:00.664-06:00 2020-08-21 19:19:00.6644|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.665-06:00 2020-08-21 19:19:00.6644|INFO|Updates|Looking for major update greater than v3.02.005
2020-08-21T13:19:00.685-06:00 2020-08-21 19:19:00.6853|INFO|Updates|No major update available
Users
Logs of all user activity including user creates/deletes, password resets, role changes.
2020-06-17T12:44:19.526-06:00 2020-06-17 18:44:19.5262|INFO|Users|Password changed for user 'admin'.
2020-06-17T20:06:32.240-06:00 2020-06-18 02:06:32.2403|INFO|Users|User 'aaron' created.
2020-06-17T23:57:25.905-06:00 2020-06-18 05:57:25.9051|INFO|Users|User 'ed' created.
2020-06-17T23:58:41.204-06:00 2020-06-18 05:58:41.2038|INFO|Users|Password changed for user 'ed'.
2020-06-17T23:58:58.252-06:00 2020-06-18 05:58:58.2527|INFO|Users|Submitted forgot password request for ed
2020-06-18T00:00:17.405-06:00 2020-06-18 06:00:17.4055|INFO|Users|Password reset for user 'ed'.

Log groups for the Agent

ScanConfig
Scan results for clean files.
2020-08-24T15:24:35.634-06:00 2020-08-24 21:24:35.6329|INFO|ScanConfig|
{
"objectTagKeys": {
"result": "scan-result",
"dateScanned": "date-scanned",
"virusName": "virus-name",
"virusUploadedBy": "uploaded-by",
"errorMessage": "message"
},
"quarantine": {
"action": "Move",
"moveBucketPrefix": "cloudstoragesecquarantine-pk913wa"
},
"whitelist": {},
"blacklist": {}
}
ScanResults
Scan results for clean, infected, error, or unscannable files.
Infected:
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|{"guid":"e132dc70-4582-476a-bb52-c57425c9792e","dateScanned":"2020-08-24T21:15:32.7952943Z","bucketName":"demo-destination-bucket","key":"virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip","scanResult":"Infected","actionTaken":"Move","detectedVirus":"Win.Test.EICAR_HDB-1","virusUploadedBy":"AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer","errorMessage":"","fileExists":true,"movedTo":"cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|
{
"guid": "e132dc70-4582-476a-bb52-c57425c9792e",
"dateScanned": "2020-08-24T21:15:32.7952943Z",
"bucketName": "demo-destination-bucket",
"key": "virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip",
"scanResult": "Infected",
"actionTaken": "Move",
"detectedVirus": "Win.Test.EICAR_HDB-1",
"virusUploadedBy": "AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer",
"errorMessage": "",
"fileExists": true,
"movedTo": "cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
Clean:
2020-08-24T15:15:33.243-06:00 2020-08-24 21:15:33.2432|INFO|CleanScanResults|{"guid":"5cab2514-5982-4323-bdbc-77540dca973d","dateScanned":"2020-08-24T21:15:33.186175Z","bucketName":"demo-destination-bucket","key":"1mb/xglRNavTNgA67qim_temp_1mb_file94857.txt","scanResult":"Clean","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.344-06:00 2020-08-24 21:15:33.3444|INFO|CleanScanResults|
{
"guid": "b589b129-ac54-493c-886c-30016899f3b9",
"dateScanned": "2020-08-24T21:15:33.2737108Z",
"bucketName": "demo-destination-bucket",
"key": "1mb/xRP72vFa1Ays2Qr9_temp_1mb_file94075.txt",
"scanResult": "Clean",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
Error:
2020-08-24T15:15:00.132-06:00 2020-08-24 21:15:00.1314|INFO|ErrorScanResults|{"guid":"5806ced2-688a-45d0-a2cb-71717176e66e","dateScanned":"2020-08-24T21:14:59.6058615Z","bucketName":"webinar-other-account-bucket-2","key":"ConsoleCloudFormationTemplate.yaml","scanResult":"Error","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"Unable to access the remote account.","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx7"}
2020-08-24T15:15:00.206-06:00 2020-08-24 21:15:00.2055|INFO|ErrorScanResults|
{
"guid": "c95dfbb1-2853-49e1-ace9-c2ae05bbf32a",
"dateScanned": "2020-08-24T21:14:59.6058615Z",
"bucketName": "webinar-other-account-bucket-2",
"key": "ConsoleCloudFormationTemplate.yaml",
"scanResult": "Error",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "Unable to access the remote account.",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxx7"
}
ScanStatistics
Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.
2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
"bucketName": "preview-destination-bucket",
"accountId": "7xxxxxxxxxx8",
"numFilesScanned": 98,
"numCleanFiles": 95,
"numInfectedFiles": 3,
"numErrors": 0,
"totalBytesScanned": 9500560
}
SystemEvents
Logs of general Agent system information and errors.
2020-08-24T15:24:35.368-06:00 2020-08-24 21:24:35.3568|INFO|SystemEvents|{"event":"Scanner Started","details":"Scanner is online and able to process files. ClamAV 0.102.3/25909/Mon Aug 24 13:26:24 2020","instanceId":"arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e","eventDate":"2020-08-24T21:24:35.2518636Z"}
2020-08-24T15:28:09.355-06:00 2020-08-24 21:28:09.3554|INFO|SystemEvents|
{
"event": "Scanner Stopped",
"details": "Scanner is going offline.",
"instanceId": "arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e",
"eventDate": "2020-08-24T21:28:09.3554279Z"
}

Log groups for ECS

As of version 6.06 we enable ECS logging by default. These logs will be shown in the following log groups.
For each of these log groups you will see your seven character application ID in the title of each log group as noted below by the AppID between the ECS and type of ECS service the log is for.
ECS.AppID.API
Log groups related to the ECS API Agent Service
ECS.AppID.Console
Log groups related to the ECS Console Service
ECS.AppID.AVEvent
Log groups related to the ECS AV Event Agent Service
ECS.AppID.DCEvent
Log groups related to the ECS DC Event Agent Service

IAM Permissions Review

We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a least privilege model wherever possible. There are a few instances where we have assigned * when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.
Please review and Contact Us if you have any questions we can clear up for you.
The permission descriptions below follow the format:
- system-name
- permission 1
- reason it is needed
- ...
- reason it is needed
- permission n
- reason it is needed
Console Roles (All Resources)
* application-autoscaling
* PutScalingPolicy
* For attaching auto scaling policies to the Agent services
* RegisterScalableTarget
* For allowing Agent services to be scalable
* aws-marketplace
* MeterUsage
* For submitting application data usage
* cloudwatch
* GetMetricStatistics
* For getting bucket size information
* ec2
* CreateSecurityGroup
* For creating a security group for the Agent services
* DescribeNetworkInterfaces
* For getting the IP of the new Console after an update has been applied
* DescribeSubnets
* For getting the list of subnets for Agent service configuration
* DescribeVpcs
* For getting the list of VPCs for Agent service configuration
* ecs
* CreateCluster
* For creating clusters in regions other than the region the console is in, for Agent services in those regions
* DescribeTaskDefinition
* For checking the current version of the Console and Agents
* DescribeTasks
* For getting the details of a new console task while applying updates
* ListTasks
* For getting the list of running console tasks while applying updates
* RegisterTaskDefinition
* For creating new Agent services and applying updates to the Console and Agents
* logs (all of the below are needed for creating and monitoring cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* DescribeLogStreams
* GetLogEvents
* GetLogRecord
* GetQueryResults
* PutLogEvents
* StartQuery
* StopQuery
* s3
* CreateBucket
* For creating a quarantine bucket in each region that has protected buckets
* GetBucketAcl
* For checking if a bucket is public
* GetBucketLocation
* For finding the region of the bucket
* GetBucketNotification
* For detecting events attached to the bucket
* GetBucketPolicy
* For checking if a bucket is public
* GetBucketPolicyStatus
* For checking if a bucket is public
* GetObjectAcl
* For checking if objects are public
* ListAllMyBuckets
* For listing buckets in the Console
* ListBucket
* For identifying files to scan
* PutBucketAcl
* For making buckets non-public
* PutBucketNotification
* For setting events on buckets to enable protection
* PutBucketPolicy
* For making buckets non-public
* PutBucketPublicAccessBlock
* For making buckets non-public
* PutObjectAcl
* For making objects non-public
* sns
* ListSubscriptions
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListSubscriptionsByTopic
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListTopics
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* Subscribe
* For subscribing the CloudStorageSec SQS Queue to a SNS Topic
* Unsubscribe
* For unsubscribing the CloudStorageSec SQS Queue from a SNS Topic
* ssm
* CreateDocument
* For creating the initial AppConfig document for CloudStorageSec Agents
* ListDocuments
* For creating the initial AppConfig document for CloudStorageSec Agents
Console Permissions (Targeted Resources)
* appconfig
* CreateConfigurationProfile
* For one-time creation of Configuration Profile for CloudStorageSec Agents
* ListConfigurationProfiles
* For retreiving the Configuration Profile ID upon Console startup
* StartDeployment
* For deploying new version of Agent configuration
* cloudwatch
* PutMetricAlarm
* For creating Agent autoscaling alarm based on SQS queue size
* dynamodb (all of the below are needed for various dynamodb operations on CloudStorageSec tables)
* DeleteItem
* DescribeTable
* GetItem
* PutItem
* Query
* Scan
* UpdateItem
* ecr
* ListImages
* For checking if there are new versions of the Console or Agent available
* ecs
* CreateService
* For creating the Agent service in a region that did not previously have any protected buckets
* DescribeClusters
* For checking if a cluster for Agents already exists in a given region
* DescribeServices
* For checking if the Agent service already exists in a given cluster
* UpdateService
* For updating the Console or Agent service(s) to point at a new application version
* iam
* PassRole
* For assigning the appropriate role to the created AppConfig Document
* sns
* AddPermission
* For allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* CreateTopic
* For creating the CloudStorageSec SNS Topic
* SetTopicAttributes
* For attaching the policy allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* sqs
* CreateQueue
* For creating the CloudStorageSec SQS Queue
* GetQueueAttributes
* For getting the ARN and current Policy of the CloudStorageSec SQS Queue
* SendMessage
* For adding messages to the CloudStorageSec SQS Queue
* SendMessageBatch
* For batch adding messages to the CloudStorageSec SQS Queue
* SetQueueAttributes
* For setting the Policy
* ssm (all of the below are for updating the Agent config document)
* DescribeDocument
* GetDocument
* UpdateDocument
Agent Permissions (All Resources)
* appconfig (all of the below are for requesting an Agent config deployment)
* ListApplications
* ListDeploymentStrategies
* s3
* DeleteObject
* For deleting infected objects
* GetObject
* For getting objects to scan
* GetObjectTagging
* For getting current tags of an object (needed when moving objects to quarantine)
* ListBucket
* For listing objects in a bucket
* PutObject
* For copying object to quarantine
* PutObjectAcl
* For copying object ACLs to quarantine
* PutObjectTagging
* For tagging objects with scan results (and when moving an object to quarantine)
* ssm
* ListDocuments
* For requesting an Agent config deployment
Agent Permissions (Targeted Resources)
* appconfig (the below are for receiving Agent configuration)
* GetApplication
* GetConfiguration
* GetConfigurationProfile
* GetDeploymentStrategy
* GetEnvironment
* ListConfigurationProfiles
* ListDeployments
* ListEnvironments
* dynamodb (the below are for submitting agent scan data into the Agent tables for the console)
* DescribeTable
* PutItem
* UpdateItem
* logs (the below are needed for creating cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* PutLogEvents
* sqs (the below are for processing the CloudStorageSec SQS queue)
* DeleteMessage
* GetQueueAttributes
* ReceiveMessage
* ssm
* GetDocument
* For accessing the app config document for Agent configuration

Scan Engines

Antivirus for Amazon S3 has been built in such a way that the underlying scanning engine can be exchanged with other scanning engines as needed or desired. There are three engines included out of the box:
  • Sophos - a well known enterprise solution that offers speed, great accuracy and large file scanning
  • CrowdStrike - a proven component of the CrowdStrike Falcon platform which uses market-leading machine learning technology and CrowdStrike’s massive corpus of malware samples to scan for malicious code
  • ClamAV - a widely used open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
Engine
Update Frequency
Max File Size
Speed
Type
API Endpoint
Agent checks every 15 minutes vendor typically updates 4 times per day
faster engine; refer to Sizing Discussion
Signature Based
Yes
ML Model updated by vendor 3 times per year
20 MB File Types
Average scan time typically below 500 milliseconds; Sizing details coming soon
Signature-less, Machine Learning Based
Yes
Agent checks every hour vendor typically updates once per day
2 GB File Types
good performance engine; refer to Sizing Discussion
Signature Based
Yes
Antivirus for Amazon S3 has the ability to use multiple scanning engines configured serially to ensure the highest level of efficacy and protection. Antivirus for Amazon S3 updates virus definitions as defined above as well as with each reboot / new spin up.
If you are a scan engine vendor and would like to partner with us to get your engine integrated into our solution or if you are a customer who would prefer another engine, please Contact Us.