Architecture Overview
An in-depth overview of our architecture.
Last updated
An in-depth overview of our architecture.
Last updated
The architecture seen below supports the object flow as described in the Object Scanning section both in a single region as well as across all regions supported. The Console region will have all components deployed to it. Any additional regions only require the scanning Agent(s) which will report back to the centrally located Console. In addition to this high-level architecture, you can get more details on routing and the public access required on the Deployment Details page.
ECS is the core of our application, which hosts 4 types of services.
The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.
The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.
The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.
The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.
Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.
Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.
In AWS, we currently scan S3, EBS, EFS, and FSx.
Integrations are handled through our Console service.
The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.
The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.
ECS is the core of our application, which hosts 4 types of services.
The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.
The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.
The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.
The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.
Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.
Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.
In AWS, we currently scan S3, EBS, EFS, and FSx.
Integrations are handled through our Console service.
The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.
The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.
To scan objects in regions separate from the Intial Deployment Region, we spin up Scanning Agents in that region to perform scans so the files never leave the region. Results are then sent back to the Console service.
All application information that takes place in secondary deployment regions are logged into that region's CloudWatch log groups.
ECS is the core of our application, which hosts 4 types of services.
The Console service is utilized for configuration of our product and provides the main communication to other AWS services. It also surfaces data from our product for user analysis.
The API Agent provides an endpoint where files can be sent and scanned before entering a storage volume.
The Event Agent scans files as they land into an S3 bucket by leveraging SNS and SQS.
The Scheduled & On-demand Agent scans pre-existing objects in a storage volume using Fargate Run Tasks.
Users and apps can log into our management console service through Cognito, or send files directly to our API scanning agent through a load balancer.
Objects can be uploaded either directly into the supported storage volumes or uploaded to S3 via our API Agent.
In AWS, we currently scan S3, EBS, EFS, and FSx.
Integrations are handled through our Console service.
The Console stores and reads configuration details from DynamoDB and Parameter Store, for example to ensure consistency when scaling agents or restarting tasks.
The Console logs all application activity in CloudWatch, which can be integrated with most SIEM tools.
To scan objects in regions separate from the Intial Deployment Region, we spin up Scanning Agents in that region to perform scans so the files never leave the region. Results are then sent back to the Console service.
All application information that takes place in secondary deployment regions are logged into that region's CloudWatch log groups.
For multiple accounts, the Console deploys a Cross Account Role with permissions so that CSS services can access and scan storage volumes from separate accounts. Note that scanning infrastructure remains in the primary AWS account where your Console was deployed. Similar to a multi-region deployment, CSS will spin up Scanning Agents in each region where data is scanned.
While many services are used (ECS Fargate, App Config, CloudWatch, CloudFormation, DynamoDB, SNS, SQS, IAM) to deliver the Antivirus for Amazon S3
solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permissions respectively. These are the usual questions we get from customers:
How do I check the logs?
What are you doing behind the scenes (permissions wise)?
We wanted to make sure you had those bases covered with the information below.
Logs of changes to agent configuration performed through the console.
2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2':
{
"region": "us-west-2",
"vpcId": "vpc-2f007457",
"subnets": [
{
"subnetId": "subnet-f6f91abc",
"availabilityZone": "us-west-2a",
"cidrBlock": "172.31.32.0/20"
},
{
"subnetId": "subnet-f0408688",
"availabilityZone": "us-west-2b",
"cidrBlock": "172.31.16.0/20"
}
]
}
2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}
Logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets.
2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'
Logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1
Logs of when metering is submitted, and any errors that may occur during metering.
2020-08-21T14:03:01.665-06:00 2020-08-21 20:03:01.6647|INFO|Metering|Metering submitted at 08/21/2020 20:03:01 for Dimension FreeTrial and Quantity 43
2020-08-21T15:03:00.950-06:00 2020-08-21 21:03:00.9503|INFO|Metering|Metering submitted at 08/21/2020 21:03:00 for Dimension FreeTrial and Quantity 43
2020-08-21T16:03:00.108-06:00 2020-08-21 22:03:00.1084|INFO|Metering|Metering submitted at 08/21/2020 22:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T17:03:00.290-06:00 2020-08-21 23:03:00.2903|INFO|Metering|Metering submitted at 08/21/2020 23:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T18:03:00.539-06:00 2020-08-22 00:03:00.5393|INFO|Metering|Metering submitted at 08/22/2020 00:03:00 for Dimension FreeTrial and Quantity 1
2020-08-21T19:03:00.782-06:00 2020-08-22 01:03:00.7815|INFO|Metering|Metering submitted at 08/22/2020 01:03:00 for Dimension GoFwdTier1 and Quantity 0
Logs of when cache for Console dashboard chart data is updated.
2020-08-21T13:19:01.171-06:00 2020-08-21 19:19:01.1714|INFO|Metrics|Getting chart values for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:08.774-06:00 2020-08-21 19:19:08.7737|INFO|Metrics|Updated cache for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:09.932-06:00 2020-08-21 19:19:09.9316|INFO|Metrics|Getting chart values for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.971-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Updated cache for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.972-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.566-06:00 2020-08-21 19:19:10.5661|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.678-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Updated cache for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.679-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.680-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:11.355-06:00 2020-08-21 19:19:11.3548|INFO|Metrics|Updated cache for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
Logs of when retro scanning starts and finishes per bucket as well as when queue entries are added.
2020-08-13T11:37:05.123-06:00 2020-08-13 17:37:05.1233|INFO|RetroScan|Starting to crawl bucket 'webinar-other-account-bucket-2' in region 'us-east-1' for account '7xxxxxxxxxx7'
2020-08-13T11:37:05.187-06:00 2020-08-13 17:37:05.1871|INFO|RetroScan|Fetching next set of objects from 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T11:37:05.247-06:00 2020-08-13 17:37:05.2463|INFO|RetroScan|Finished crawling bucket 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T12:26:59.689-06:00 2020-08-13 18:26:59.6883|INFO|RetroScan|Starting to crawl bucket 'css-webinar-existing-files' in region 'us-east-1' for account '7xxxxxxxxxx8'
2020-08-13T12:26:59.712-06:00 2020-08-13 18:26:59.7125|INFO|RetroScan|Fetching next set of objects from 'css-webinar-existing-files' in region 'us-east-1'
2020-08-13T12:26:59.774-06:00 2020-08-13 18:26:59.7742|INFO|RetroScan|Sending message to queue 'https://sqs.us-east-1.amazonaws.com/7xxxxxxxxxx8/CloudStorageSecRetroQueu
Logs of each time the console is assigned a new IP and when the subdomain is renamed.
2020-08-17T13:03:28.291-06:00 2020-08-17 19:03:28.2911|INFO|Subdomain|Updating IP address for console subdomain
2020-08-17T13:03:32.106-06:00 2020-08-17 19:03:32.1056|INFO|Subdomain|Updated IP address for console subdomain
2020-08-17T13:16:49.080-06:00 2020-08-17 19:16:49.0797|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:13.256-06:00 2020-08-17 19:26:13.2559|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:20.703-06:00 2020-08-17 19:26:20.7027|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:07.726-06:00 2020-08-17 19:28:07.7258|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:10.089-06:00 2020-08-17 19:28:10.0888|INFO|Subdomain|Setting console subdomain to 'preview'
2020-08-17T13:28:13.710-06:00 2020-08-17 19:28:13.7098|INFO|Subdomain|Set console subdomain to 'preview'
Logs of general Console system information and errors and the return of the entitlement verification.
2020-08-21T13:25:58.374-06:00 2020-08-21 19:25:58.3713|INFO|System|Entitlement Verified.
Logs of what updates are available and when an update is being performed.
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecAgentService-pk913wa
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|CloudStorageSecAgentService-pk913wa is version v3.01.003
2020-08-21T13:19:00.533-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecConsoleService-pk913wa
2020-08-21T13:19:00.585-06:00 2020-08-21 19:19:00.5847|INFO|Updates|CloudStorageSecConsoleService-pk913wa is version v3.02.005
2020-08-21T13:19:00.586-06:00 2020-08-21 19:19:00.5865|INFO|Updates|Looking for minor or patch update of CloudStorageSecAgentService-pk913wa greater than v3.01.003
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|Looking for minor or patch update of CloudStorageSecConsoleService-pk913wa greater than v3.02.005
2020-08-21T13:19:00.664-06:00 2020-08-21 19:19:00.6644|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.665-06:00 2020-08-21 19:19:00.6644|INFO|Updates|Looking for major update greater than v3.02.005
2020-08-21T13:19:00.685-06:00 2020-08-21 19:19:00.6853|INFO|Updates|No major update available
Logs of all user activity including user creates/deletes, password resets, role changes.
2020-06-17T12:44:19.526-06:00 2020-06-17 18:44:19.5262|INFO|Users|Password changed for user 'admin'.
2020-06-17T20:06:32.240-06:00 2020-06-18 02:06:32.2403|INFO|Users|User 'aaron' created.
2020-06-17T23:57:25.905-06:00 2020-06-18 05:57:25.9051|INFO|Users|User 'ed' created.
2020-06-17T23:58:41.204-06:00 2020-06-18 05:58:41.2038|INFO|Users|Password changed for user 'ed'.
2020-06-17T23:58:58.252-06:00 2020-06-18 05:58:58.2527|INFO|Users|Submitted forgot password request for ed
2020-06-18T00:00:17.405-06:00 2020-06-18 06:00:17.4055|INFO|Users|Password reset for user 'ed'.
Scan settings for the agent.
Settings include, but are not limited to:
Tags for the objects scanned
Actions taken on objects
Scan and skip lists
Bucket handling configuration
Classification Rules configuration for DLP
Note that the following snippet below has been shortened for brevity.
2024-07-23 18:07:31.9485|INFO|ScanConfig|
{
"scanTaggingEnabled": true,
"scanTagsExcluded": [],
"classificationTaggingEnabled": true,
"classificationTagsExcluded": [],
"objectTagKeys": {
"result": "scan-result",
"dateScanned": "date-scanned",
"virusName": "virus-name",
"virusUploadedBy": "uploaded-by",
"errorMessage": "message",
"classificationResult": "classification-result",
"dateClassified": "date-classified",
"classificationMatches": "classification-matches",
"classificationErrorMessage": "classification-message"
},
"quarantine": {
"action": "Move",
"moveBucketPrefix": "cloudstoragesecquarantine-aocxfe6"
},
"scanList": {},
"skipList": {},
"classifyList": {},
"classifySkipList": {},
"avEventProtectedBuckets": [
"my-bucket"
],
"classificationCustomRulesLastUpdated": "0001-01-01T00:00:00.0000000Z",
"classificationRuleSets": {
"canadian health service": [
"PersonalhealthnumberBCCanada",
"PersonalhealthnumberBCnearDOBCanada"
],
"document classification": [
"ConfidentialdocumentmarkersAustralia",
"ConfidentialdocumentmarkersBelgium"
]
},
"dcEventBucketRuleSets": {},
"dcScheduledBucketRuleSets": {},
"efsClassificationRuleSets": {},
"ebsClassificationRuleSets": {},
"fsxClassificationRuleSets": {},
"twoBucketConfig": {
"regions": {},
"buckets": {
"my-bucket": {
"destinationBucket": "destination-bucket"
}
}
}
}
Scan results for clean, infected, error, or unscannable files.
Infected:
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|{"guid":"e132dc70-4582-476a-bb52-c57425c9792e","dateScanned":"2020-08-24T21:15:32.7952943Z","bucketName":"demo-destination-bucket","key":"virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip","scanResult":"Infected","actionTaken":"Move","detectedVirus":"Win.Test.EICAR_HDB-1","virusUploadedBy":"AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer","errorMessage":"","fileExists":true,"movedTo":"cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|
{
"guid": "e132dc70-4582-476a-bb52-c57425c9792e",
"dateScanned": "2020-08-24T21:15:32.7952943Z",
"bucketName": "demo-destination-bucket",
"key": "virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip",
"scanResult": "Infected",
"actionTaken": "Move",
"detectedVirus": "Win.Test.EICAR_HDB-1",
"virusUploadedBy": "AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer",
"errorMessage": "",
"fileExists": true,
"movedTo": "cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
Clean:
2020-08-24T15:15:33.243-06:00 2020-08-24 21:15:33.2432|INFO|CleanScanResults|{"guid":"5cab2514-5982-4323-bdbc-77540dca973d","dateScanned":"2020-08-24T21:15:33.186175Z","bucketName":"demo-destination-bucket","key":"1mb/xglRNavTNgA67qim_temp_1mb_file94857.txt","scanResult":"Clean","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.344-06:00 2020-08-24 21:15:33.3444|INFO|CleanScanResults|
{
"guid": "b589b129-ac54-493c-886c-30016899f3b9",
"dateScanned": "2020-08-24T21:15:33.2737108Z",
"bucketName": "demo-destination-bucket",
"key": "1mb/xRP72vFa1Ays2Qr9_temp_1mb_file94075.txt",
"scanResult": "Clean",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
Error:
2020-08-24T15:15:00.132-06:00 2020-08-24 21:15:00.1314|INFO|ErrorScanResults|{"guid":"5806ced2-688a-45d0-a2cb-71717176e66e","dateScanned":"2020-08-24T21:14:59.6058615Z","bucketName":"webinar-other-account-bucket-2","key":"ConsoleCloudFormationTemplate.yaml","scanResult":"Error","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"Unable to access the remote account.","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx7"}
2020-08-24T15:15:00.206-06:00 2020-08-24 21:15:00.2055|INFO|ErrorScanResults|
{
"guid": "c95dfbb1-2853-49e1-ace9-c2ae05bbf32a",
"dateScanned": "2020-08-24T21:14:59.6058615Z",
"bucketName": "webinar-other-account-bucket-2",
"key": "ConsoleCloudFormationTemplate.yaml",
"scanResult": "Error",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "Unable to access the remote account.",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxx7"
}
Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.
2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
"bucketName": "preview-destination-bucket",
"accountId": "7xxxxxxxxxx8",
"numFilesScanned": 98,
"numCleanFiles": 95,
"numInfectedFiles": 3,
"numErrors": 0,
"totalBytesScanned": 9500560
}
Logs of general Agent system information and errors.
2020-08-24T15:24:35.368-06:00 2020-08-24 21:24:35.3568|INFO|SystemEvents|{"event":"Scanner Started","details":"Scanner is online and able to process files. ClamAV 0.102.3/25909/Mon Aug 24 13:26:24 2020","instanceId":"arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e","eventDate":"2020-08-24T21:24:35.2518636Z"}
2020-08-24T15:28:09.355-06:00 2020-08-24 21:28:09.3554|INFO|SystemEvents|
{
"event": "Scanner Stopped",
"details": "Scanner is going offline.",
"instanceId": "arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e",
"eventDate": "2020-08-24T21:28:09.3554279Z"
}
As of version 6.06 we enable ECS logging by default. These logs will be shown in the following log groups.
For each of these log groups you will see your seven character application ID in the title of each log group as noted below by the AppID
between the ECS
and type of ECS service the log is for.
We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a least privilege
model wherever possible. There are a few instances where we have assigned *
when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.
Please review and Contact Us if you have any questions we can clear up for you.
The permission descriptions below follow the format:
- system-name
- permission 1
- reason it is needed
- ...
- reason it is needed
- permission n
- reason it is needed
* application-autoscaling
* PutScalingPolicy
* For attaching auto scaling policies to the Agent services
* RegisterScalableTarget
* For allowing Agent services to be scalable
* aws-marketplace
* MeterUsage
* For submitting application data usage
* cloudwatch
* GetMetricStatistics
* For getting bucket size information
* ec2
* CreateSecurityGroup
* For creating a security group for the Agent services
* DescribeNetworkInterfaces
* For getting the IP of the new Console after an update has been applied
* DescribeSubnets
* For getting the list of subnets for Agent service configuration
* DescribeVpcs
* For getting the list of VPCs for Agent service configuration
* ecs
* CreateCluster
* For creating clusters in regions other than the region the console is in, for Agent services in those regions
* DescribeTaskDefinition
* For checking the current version of the Console and Agents
* DescribeTasks
* For getting the details of a new console task while applying updates
* ListTasks
* For getting the list of running console tasks while applying updates
* RegisterTaskDefinition
* For creating new Agent services and applying updates to the Console and Agents
* logs (all of the below are needed for creating and monitoring cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* DescribeLogStreams
* GetLogEvents
* GetLogRecord
* GetQueryResults
* PutLogEvents
* StartQuery
* StopQuery
* s3
* CreateBucket
* For creating a quarantine bucket in each region that has protected buckets
* GetBucketAcl
* For checking if a bucket is public
* GetBucketLocation
* For finding the region of the bucket
* GetBucketNotification
* For detecting events attached to the bucket
* GetBucketPolicy
* For checking if a bucket is public
* GetBucketPolicyStatus
* For checking if a bucket is public
* GetObjectAcl
* For checking if objects are public
* ListAllMyBuckets
* For listing buckets in the Console
* ListBucket
* For identifying files to scan
* PutBucketAcl
* For making buckets non-public
* PutBucketNotification
* For setting events on buckets to enable protection
* PutBucketPolicy
* For making buckets non-public
* PutBucketPublicAccessBlock
* For making buckets non-public
* PutObjectAcl
* For making objects non-public
* sns
* ListSubscriptions
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListSubscriptionsByTopic
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListTopics
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* Subscribe
* For subscribing the CloudStorageSec SQS Queue to a SNS Topic
* Unsubscribe
* For unsubscribing the CloudStorageSec SQS Queue from a SNS Topic
* ssm
* CreateDocument
* For creating the initial AppConfig document for CloudStorageSec Agents
* ListDocuments
* For creating the initial AppConfig document for CloudStorageSec Agents
* appconfig
* CreateConfigurationProfile
* For one-time creation of Configuration Profile for CloudStorageSec Agents
* ListConfigurationProfiles
* For retreiving the Configuration Profile ID upon Console startup
* StartDeployment
* For deploying new version of Agent configuration
* cloudwatch
* PutMetricAlarm
* For creating Agent autoscaling alarm based on SQS queue size
* dynamodb (all of the below are needed for various dynamodb operations on CloudStorageSec tables)
* DeleteItem
* DescribeTable
* GetItem
* PutItem
* Query
* Scan
* UpdateItem
* ecr
* ListImages
* For checking if there are new versions of the Console or Agent available
* ecs
* CreateService
* For creating the Agent service in a region that did not previously have any protected buckets
* DescribeClusters
* For checking if a cluster for Agents already exists in a given region
* DescribeServices
* For checking if the Agent service already exists in a given cluster
* UpdateService
* For updating the Console or Agent service(s) to point at a new application version
* iam
* PassRole
* For assigning the appropriate role to the created AppConfig Document
* sns
* AddPermission
* For allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* CreateTopic
* For creating the CloudStorageSec SNS Topic
* SetTopicAttributes
* For attaching the policy allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* sqs
* CreateQueue
* For creating the CloudStorageSec SQS Queue
* GetQueueAttributes
* For getting the ARN and current Policy of the CloudStorageSec SQS Queue
* SendMessage
* For adding messages to the CloudStorageSec SQS Queue
* SendMessageBatch
* For batch adding messages to the CloudStorageSec SQS Queue
* SetQueueAttributes
* For setting the Policy
* ssm (all of the below are for updating the Agent config document)
* DescribeDocument
* GetDocument
* UpdateDocument
* appconfig (all of the below are for requesting an Agent config deployment)
* ListApplications
* ListDeploymentStrategies
* s3
* DeleteObject
* For deleting infected objects
* GetObject
* For getting objects to scan
* GetObjectTagging
* For getting current tags of an object (needed when moving objects to quarantine)
* ListBucket
* For listing objects in a bucket
* PutObject
* For copying object to quarantine
* PutObjectAcl
* For copying object ACLs to quarantine
* PutObjectTagging
* For tagging objects with scan results (and when moving an object to quarantine)
* ssm
* ListDocuments
* For requesting an Agent config deployment
* appconfig (the below are for receiving Agent configuration)
* GetApplication
* GetConfiguration
* GetConfigurationProfile
* GetDeploymentStrategy
* GetEnvironment
* ListConfigurationProfiles
* ListDeployments
* ListEnvironments
* dynamodb (the below are for submitting agent scan data into the Agent tables for the console)
* DescribeTable
* PutItem
* UpdateItem
* logs (the below are needed for creating cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* PutLogEvents
* sqs (the below are for processing the CloudStorageSec SQS queue)
* DeleteMessage
* GetQueueAttributes
* ReceiveMessage
* ssm
* GetDocument
* For accessing the app config document for Agent configuration
Console Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:TagPolicy",
"iam:UntagPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:ListPolicyVersions",
"iam:CreatePolicyVersion"
],
"Resource": [
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-EC2-Management-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Infrastructure-Management-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Logging-And-Monitoring-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Application-Resources-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Security-And-Access-Policy"
],
"Effect": "Allow",
"Sid": "IAMCSSPoliciesAction"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllResources"
},
{
"Action": [
"elasticloadbalancing:Create*",
"elasticloadbalancing:Delete*",
"elasticloadbalancing:Modify*",
"elasticloadbalancing:*Tags",
"elasticloadbalancing:SetSubnets",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/*/*{console-appid}/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*/*{console-appid}/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*i{console-appid}/*",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Effect": "Allow",
"Sid": "RestrictedResources"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"license-manager:CheckoutLicense",
"license-manager:ListReceivedLicenses"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllResources"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:*DataStore*",
"cloudtrail:*Quer*",
"cloudtrail:*Channel*",
"cloudtrail-data:*Audit*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetUser"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudTrail"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudtrail.amazonaws.com"
}
},
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PassRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:GetBucketTagging"
],
"Resource": [
"arn:aws:s3:::{applicaction-Bucket}",
"arn:aws:s3:::{applicaction-Bucket}/*"
],
"Effect": "Allow",
"Sid": "CloudStorageSecS3Bucket"
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:PutLifecycleConfiguration",
"s3:PutEncryptionConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectAttributes",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:DeleteBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": [
"arn:aws:s3:::{quarantine-Bucket}-*"
],
"Effect": "Allow",
"Sid": "CloudStorageSecS3QuarantineBucket"
},
{
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTagsOfResource",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:{Aws-Region}:{AwsAccount}:table/{appId}.*"
],
"Effect": "Allow",
"Sid": "DynamoDb"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:SetQueueAttributes",
"sqs:SendMessage",
"sqs:TagQueue",
"sqs:ReceiveMessage",
"sqs:UntagQueue"
],
"Resource": [
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-DC-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-EFS-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-FSx-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-ScannedItems-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecRetroQueue-{appId}*"
],
"Effect": "Allow",
"Sid": "SQS"
},
{
"Action": [
"elasticfilesystem:CreateTags",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:ModifyMountTargetSecurityGroups"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Effect": "Allow",
"Sid": "EFSActions"
},
{
"Action": [
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeAccessPoints"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:file-system/*",
"arn:aws:elasticfilesystem:*:*:access-point/*"
],
"Effect": "Allow",
"Sid": "EFSAccessPointsActions"
},
{
"Action": [
"ecr:ListImages"
],
"Resource": [
"arn:aws:ecr:{Aws-region}:564477214187:repository/cloudstoragesecurity/*"
],
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"bedrock:InvokeModel",
"bedrock:GetFoundationModel",
"bedrock:ListFoundationModels"
],
"Resource": "arn:aws:bedrock:*::foundation-model/*",
"Effect": "Allow",
"Sid": "Bedrock"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSecExtraLargeFileScanning": "ExtraLargeFileScanning"
}
},
"Action": [
"ec2:DeleteVolume",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:*",
"Effect": "Allow",
"Sid": "DeleteLargeFileScanningVolumes"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-i401ajc": "Snapshot"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSnapshot"
},
{
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSnapshotForAnyVolume"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/CloudStorageSec-{appId}": "Snapshot"
}
},
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*"
],
"Effect": "Allow",
"Sid": "EC2DeleteSnapshot"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "Volume"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2VolumeCreate"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSec-{appId}": "Volume"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2VolumeDelete"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroupRule"
}
},
"Action": [
"ec2:CreateTags",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:{awsAccount}:security-group-rule/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupRule"
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*",
"arn:aws:ec2:*:*:{awsAccount}:network-interface/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupRuleIngress"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroup"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroup"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:vpc/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupVPC"
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*",
"arn:aws:ec2:*:*:{awsAccount}:subnet/*",
"arn:aws:ec2:*::image/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstanceInfrastructure"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "EC2Instance"
}
},
"Action": [
"ec2:RunInstances",
"ec2:CreateTags",
"iam:PassRole",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:instance/*",
"arn:aws:ec2:*:*:{awsAccount}:network-interface/*",
"arn:aws:ec2:*:*:{awsAccount}:volume/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstance"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSec-{appId}": "EC2Instance"
}
},
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:instance/*"
],
"Effect": "Allow",
"Sid": "EC2TerminateInstance"
}
]
}
/{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:{Aws-Region}:*:stack/{CloudFormationStack-name}/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"ecs:TagResource",
"ecs:ListTagsForResource",
"ecs:UntagResource",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:CreateService",
"ecs:DeleteService",
"ecs:DescribeServices",
"ecs:UpdateService",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:*:{AwsAccount}:cluster/CloudStorageSecCluster-{appId}",
"arn:aws:ecs:*:{AwsAccount}:service/CloudStorageSecCluster-{appId}/*",
"arn:aws:ecs:*:{AwsAccount}:container-instance/CloudStorageSecCluster-{appId}/*",
"arn:aws:ecs:*:{AwsAccount}:task/CloudStorageSecCluster-{appId}/*"
],
"Effect": "Allow",
"Sid": "ECSCluster"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": [
"TaskDefinition",
"ConsoleTaskDefinition"
]
}
},
"Action": [
"ecs:TagResource",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECSRegisterTask"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:ResourceTag/CloudStorageSec-{appId}": [
"TaskDefinition",
"ConsoleTaskDefinition"
]
}
},
"Action": [
"ecs:TagResource",
"ecs:ListTagsForResource",
"ecs:UntagResource",
"ecs:RunTask",
"ecs:DeleteTaskDefinitions"
],
"Resource": "arn:aws:ecs:*:{Aws-Account}:task-definition/CloudStorageSec*-{appId}:*",
"Effect": "Allow",
"Sid": "ECSRunDeleteTask"
},
{
"Condition": {
"StringEquals": {
"application-autoscaling:scalable-dimension": "ecs:service:DesiredCount"
}
},
"Action": [
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource": [
"arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
],
"Effect": "Allow",
"Sid": "ApplicationAutoscaling"
},
{
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudStorageSec-{appId}"
}
},
"Action": [
"application-autoscaling:TagResource",
"application-autoscaling:UntagResource"
],
"Resource": [
"arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
],
"Effect": "Allow",
"Sid": "ApplicationAutoscalingTagging"
},
{
"Action": [
"appconfig:DeleteConfigurationProfile",
"appconfig:GetLatestConfiguration",
"appconfig:ListConfigurationProfiles",
"appconfig:StartDeployment",
"appconfig:StartConfigurationSession",
"appconfig:TagResource",
"appconfig:UpdateApplication",
"appconfig:UpdateConfigurationProfile",
"appconfig:UpdateDeploymentStrategy",
"appconfig:UpdateEnvironment",
"appconfig:UntagResource"
],
"Resource": [
"arn:aws:appconfig:*:{Aws-Account}:application/{appId}/*",
"arn:aws:appconfig:*:{Aws-Account}:application/{appId}",
"arn:aws:appconfig:*:{Aws-Account}:deploymentstrategy/ob3q2x1"
],
"Effect": "Allow",
"Sid": "AppConfig"
},
{
"Action": [
"ssm:AddTagsToResource",
"ssm:ListTagsForResource",
"ssm:RemoveTagsFromResource",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:DescribeDocument",
"ssm:DescribeDocumentParameters",
"ssm:DescribeDocumentPermission",
"ssm:ModifyDocumentPermission",
"ssm:GetDocument",
"ssm:ListDocuments",
"ssm:UpdateDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:UpdateDocumentMetadata",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:LabelParameterVersion",
"ssm:PutParameter",
"ssm:UnlabelParameterVersion",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:RestoreSecret",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:ssm:*:{AwsAccount}:parameter/aws/service/ecs/optimized-ami/amazon-linux*/recommended/image_id",
"arn:aws:ssm:*:{AwsAccount}:document/*{appId}",
"arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}/*",
"arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}",
"arn:aws:ssm:*::parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id",
"arn:aws:secretsmanager:{Aws-Region}:*:secret:cloudstoragesec/*"
],
"Effect": "Allow",
"Sid": "SSMActions"
},
{
"Action": [
"events:CreateEventBus",
"events:DeleteEventBus",
"events:DeleteRule",
"events:DescribeEventBus",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTagsForResource",
"events:PutPermission",
"events:PutRule",
"events:PutTargets",
"events:RemovePermission",
"events:RemoveTargets",
"events:TagResource",
"events:UntagResource",
"events:UpdateEventBus"
],
"Resource": [
"arn:aws:events:*:*:*/*{appId}*",
"arn:aws:events:*:*:*/default",
"arn:aws:events:*:*:rule/*"
],
"Effect": "Allow",
"Sid": "EventBridgeActions"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*:log-stream:*",
"Effect": "Allow",
"Sid": "CloudWatchLogStream"
},
{
"Action": [
"logs:ListTagsForResource",
"logs:TagResource",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:UntagLogGroup",
"logs:UntagResource"
],
"Resource": [
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*"
],
"Effect": "Allow",
"Sid": "CloudWatchLog"
},
{
"Action": [
"logs:StartQuery",
"logs:GetQueryResults"
],
"Resource": [
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.Jobs:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanStatistics:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationStatistics:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.SystemEvents:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanResults:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationResults:*"
],
"Effect": "Allow",
"Sid": "CloudWatchLogQuery"
},
{
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm"
],
"Resource": [
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-DC-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-DC-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecConsole-HealthCheck-Alarm-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:TargetTracking-service/CloudStorageSecCluster-{appId}/CloudStorageSecApiAgentService-{appId}*"
],
"Effect": "Allow",
"Sid": "CloudWatchAlarm"
},
{
"Action": [
"securityhub:GetFindings",
"securityhub:DisableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:EnableImportFindingsForProduct"
],
"Resource": [
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product/cloud-storage-security/antivirus-for-amazon-s3",
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product-subscription/cloud-storage-security/antivirus-for-amazon-s3",
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:hub/default"
],
"Effect": "Allow",
"Sid": "SecurityHubActions"
},
{
"Condition": {
"StringEquals": {
"cloudwatch:Namespace": "AWS/ECS"
}
},
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Effect": "Allow",
"Sid": "PutECSMetricData"
},
{
"Action": [
"sns:Subscribe",
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:SetSubscriptionAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Publish",
"sns:TagResource",
"sns:UnTagResource"
],
"Resource": [
"arn:aws:sns:*:{AwsAccount}:CloudStorageSecNotificationsTopic-{appId}",
"arn:aws:sns:*:{AwsAccount}:CloudStorageSecTopic-{appId}"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"servicequotas:GetServiceQuota"
],
"Resource": [
"arn:aws:servicequotas:*:{AwsAccount}:ebs/L-D18FCD1D",
"arn:aws:servicequotas:*:{AwsAccount}:ebs/L-7A658B76"
],
"Effect": "Allow",
"Sid": "ServiceQuotas"
},
{
"Action": [
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": [
"arn:aws:budgets::{AwsAccount}:budget/Cloud Storage Security Application Cost Budget - Application {appId}"
],
"Effect": "Allow",
"Sid": "Budgets"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-idp:AdminGetUser",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDeleteUserAttributes",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:AdminListGroupsForUser",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"cognito-idp:CreateGroup",
"cognito-idp:DeleteGroup",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:ListIdentityProviders",
"cognito-idp:SetUserPoolMfaConfig"
],
"Resource": [
"arn:aws:cognito-idp:{AwsRegion}:{AwsAccount}:userpool/{UserPool-Id}"
],
"Effect": "Allow",
"Sid": "Cognito"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagInstanceProfile",
"iam:UntagInstanceProfile",
"iam:UpdateAssumeRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PassRole",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"arn:aws:iam::*:role/CloudStorageSecUserPoolRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/AppConfigAgentConfigurationDocumentRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecExecutionRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecConsoleRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecAgentRole-{appId}",
"arn:aws:iam::*:role/CloudStorageSecEc2ContainerRole-{appId}",
"arn:aws:iam::*:instance-profile/CloudStorageSecEc2ContainerRole-{appId}",
"arn:aws:iam::*:role/CloudStorageSecEventBridgeRole-{appId}"
],
"Effect": "Allow",
"Sid": "IAMAction"
},
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/*{appId}",
"Effect": "Allow",
"Sid": "CrossAccountAssumeRole"
},
{
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
}
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:*:{AwsAccount}:key/*",
"Effect": "Allow",
"Sid": "KmsConsole"
},
{
"Action": [
"application-autoscaling:DescribeScalableTargets",
"aws-marketplace:MeterUsage",
"acm:DescribeCertificate",
"acm:RequestCertificate",
"cloudformation:GetTemplateSummary",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeTags",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ecs:DescribeTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:ListTaskDefinitions",
"fsx:DescribeFileSystems",
"fsx:DescribeVolumes",
"fsx:DescribeStorageVirtualMachines",
"workdocs:*Document*",
"workdocs:*Labels",
"workdocs:*Metadata",
"workdocs:*NotificationSubscription",
"logs:DescribeLogGroups",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Unsubscribe",
"sqs:ListQueues"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ReadOnlyGlobal"
},
{
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow",
"Sid": "S3ReadOnly"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutInventoryConfiguration"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow",
"Sid": "S3Write"
}
]
}
Antivirus for Amazon S3 has been built in such a way that the underlying scanning engine can be exchanged with other scanning engines as needed or desired. There are three engines included out of the box:
Sophos - a well known enterprise solution that offers speed, great accuracy and large file scanning
ClamAV - a widely used open source antivirus engine for detecting trojans, viruses, malware & other malicious threats
CSS Premium - our latest scanning engine that can be used as either a primary scanning engine or as a secondary scanning engine to increase the efficacy of your scan
Agent checks every 15 minutes Vendor typically updates 4 times per day
Signature Based
Yes
Agent checks every hour Vendor typically updates once per day
Signature Based
Yes
Agent checks every 15 minutes Typically updates one to four times per day
Great performance; data to be released in the near future
Signature Based
Yes
Antivirus for Amazon S3 has the ability to use multiple scanning engines configured serially to ensure the highest level of efficacy and protection. Antivirus for Amazon S3 updates virus definitions as defined above as well as with each reboot / new spin up.
If you are a scan engine vendor and would like to partner with us to get your engine integrated into our solution or if you are a customer who would prefer another engine, please Contact Us.
195GB 5TB with
Faster engine; refer to
2GB
Good performance engine; refer to
195GB through an ECS task 5TB with extra large file scanning