Skip to content

Architecture Overview

Architecture

The architecture seen below supports the object flow as described in the Object Scanning section both in a single region as well as across all regions supported. The Console region will have all components deployed to it. Any additional regions only require the scanning Agent(s) which will report back to the centrally located Console. In addition to this high-level architecture, you can get more details on routing and the public access required on the Deployment Details page.

Architecture - High-level Overview

Single Region Architecture

Multi-Region Architecture

Multi-Account Architecture

Platform Services

While many services are used (ECS Fargate, App Config, CloudWatch, CloudFormation, DynamoDB, SNS, SQS, IAM) to deliver the Antivirus for Amazon S3 solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permission respectively. These are the usual questions we get from customers: how do I check the logs and what all are you doing behind the scenes (permissions wise).

We wanted to make sure you had those bases covered.

CloudWatch LogGroup Overview

Log groups for the Console:

  • AgentConfig - logs of changes to agent configuration performed through the console

    Sample AgentConfig Logs
    2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
    2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
    2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
    2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': 
    {
        "region": "us-west-2",
        "vpcId": "vpc-2f007457",
        "subnets": [
            {
                "subnetId": "subnet-f6f91abc",
                "availabilityZone": "us-west-2a",
                "cidrBlock": "172.31.32.0/20"
            },
            {
                "subnetId": "subnet-f0408688",
                "availabilityZone": "us-west-2b",
                "cidrBlock": "172.31.16.0/20"
            }
        ]
    }
    2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}
    
  • Buckets - logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets

    Sample Buckets Logs
    2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files' 
    2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
    2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
    2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
    2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
    2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
    2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
    2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
    2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
    2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'
    
  • EcsConfig - logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.

    Sample EcsConfig Logs
    2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
    2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
    2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
    2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
    2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
    2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1 
    2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
    2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
    2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
    2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
    2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
    2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
    2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
    2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1
    
  • Metering - logs of when metering is submitted, and any errors that may occur during metering

    Sample Metering Logs
    2020-08-21T14:03:01.665-06:00 2020-08-21 20:03:01.6647|INFO|Metering|Metering submitted at 08/21/2020 20:03:01 for Dimension FreeTrial and Quantity 43
    2020-08-21T15:03:00.950-06:00 2020-08-21 21:03:00.9503|INFO|Metering|Metering submitted at 08/21/2020 21:03:00 for Dimension FreeTrial and Quantity 43
    2020-08-21T16:03:00.108-06:00 2020-08-21 22:03:00.1084|INFO|Metering|Metering submitted at 08/21/2020 22:03:00 for Dimension FreeTrial and Quantity 44
    2020-08-21T17:03:00.290-06:00 2020-08-21 23:03:00.2903|INFO|Metering|Metering submitted at 08/21/2020 23:03:00 for Dimension FreeTrial and Quantity 44
    2020-08-21T18:03:00.539-06:00 2020-08-22 00:03:00.5393|INFO|Metering|Metering submitted at 08/22/2020 00:03:00 for Dimension FreeTrial and Quantity 1
    2020-08-21T19:03:00.782-06:00 2020-08-22 01:03:00.7815|INFO|Metering|Metering submitted at 08/22/2020 01:03:00 for Dimension GoFwdTier1 and Quantity 0
    
  • Metrics - logs of when cache for Console dashboard chart data is updated

    Sample Metrics Logs
    2020-08-21T13:19:01.171-06:00 2020-08-21 19:19:01.1714|INFO|Metrics|Getting chart values for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
    2020-08-21T13:19:08.774-06:00 2020-08-21 19:19:08.7737|INFO|Metrics|Updated cache for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
    2020-08-21T13:19:09.932-06:00 2020-08-21 19:19:09.9316|INFO|Metrics|Getting chart values for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
    2020-08-21T13:19:09.971-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Updated cache for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
    2020-08-21T13:19:09.972-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
    2020-08-21T13:19:10.566-06:00 2020-08-21 19:19:10.5661|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:10-08/21/2020 19:19:10
    2020-08-21T13:19:10.678-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Updated cache for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
    2020-08-21T13:19:10.679-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
    2020-08-21T13:19:10.680-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
    2020-08-21T13:19:11.355-06:00 2020-08-21 19:19:11.3548|INFO|Metrics|Updated cache for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
    
  • RetroScan - logs of when retro scanning starts and finishes per bucket as well as when queue entries are added

    Sample RetroScan Logs
    2020-08-13T11:37:05.123-06:00 2020-08-13 17:37:05.1233|INFO|RetroScan|Starting to crawl bucket 'webinar-other-account-bucket-2' in region 'us-east-1' for account '7xxxxxxxxxx7'
    2020-08-13T11:37:05.187-06:00 2020-08-13 17:37:05.1871|INFO|RetroScan|Fetching next set of objects from 'webinar-other-account-bucket-2' in region 'us-east-1'
    2020-08-13T11:37:05.247-06:00 2020-08-13 17:37:05.2463|INFO|RetroScan|Finished crawling bucket 'webinar-other-account-bucket-2' in region 'us-east-1'
    2020-08-13T12:26:59.689-06:00 2020-08-13 18:26:59.6883|INFO|RetroScan|Starting to crawl bucket 'css-webinar-existing-files' in region 'us-east-1' for account '7xxxxxxxxxx8'
    2020-08-13T12:26:59.712-06:00 2020-08-13 18:26:59.7125|INFO|RetroScan|Fetching next set of objects from 'css-webinar-existing-files' in region 'us-east-1'
    2020-08-13T12:26:59.774-06:00 2020-08-13 18:26:59.7742|INFO|RetroScan|Sending message to queue 'https://sqs.us-east-1.amazonaws.com/7xxxxxxxxxx8/CloudStorageSecRetroQueu
    
  • Subdomain - logs of each time the console is assigned a new IP and when the subdomain is renamed

    Sample Subdomain Logs
    2020-08-17T13:03:28.291-06:00 2020-08-17 19:03:28.2911|INFO|Subdomain|Updating IP address for console subdomain
    2020-08-17T13:03:32.106-06:00 2020-08-17 19:03:32.1056|INFO|Subdomain|Updated IP address for console subdomain
    2020-08-17T13:16:49.080-06:00 2020-08-17 19:16:49.0797|INFO|Subdomain|Checking if 'preview' is available.
    2020-08-17T13:26:13.256-06:00 2020-08-17 19:26:13.2559|INFO|Subdomain|Checking if 'preview' is available.
    2020-08-17T13:26:20.703-06:00 2020-08-17 19:26:20.7027|INFO|Subdomain|Checking if 'preview' is available.
    2020-08-17T13:28:07.726-06:00 2020-08-17 19:28:07.7258|INFO|Subdomain|Checking if 'preview' is available.
    2020-08-17T13:28:10.089-06:00 2020-08-17 19:28:10.0888|INFO|Subdomain|Setting console subdomain to 'preview'
    2020-08-17T13:28:13.710-06:00 2020-08-17 19:28:13.7098|INFO|Subdomain|Set console subdomain to 'preview'
    
  • System - logs of general Console system information and errors and the return of the entitlement verification

    Sample System Logs
    2020-08-21T13:25:58.374-06:00 2020-08-21 19:25:58.3713|INFO|System|Entitlement Verified.
    
  • Updates - logs of what updates are available and when an update is being performed

    Sample Updates Logs
    2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecAgentService-pk913wa
    2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|CloudStorageSecAgentService-pk913wa is version v3.01.003
    2020-08-21T13:19:00.533-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecConsoleService-pk913wa
    2020-08-21T13:19:00.585-06:00 2020-08-21 19:19:00.5847|INFO|Updates|CloudStorageSecConsoleService-pk913wa is version v3.02.005
    2020-08-21T13:19:00.586-06:00 2020-08-21 19:19:00.5865|INFO|Updates|Looking for minor or patch update of CloudStorageSecAgentService-pk913wa greater than v3.01.003
    2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|No minor or patch update available
    2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|Looking for minor or patch update of CloudStorageSecConsoleService-pk913wa greater than v3.02.005
    2020-08-21T13:19:00.664-06:00 2020-08-21 19:19:00.6644|INFO|Updates|No minor or patch update available
    2020-08-21T13:19:00.665-06:00 2020-08-21 19:19:00.6644|INFO|Updates|Looking for major update greater than v3.02.005
    2020-08-21T13:19:00.685-06:00 2020-08-21 19:19:00.6853|INFO|Updates|No major update available
    
  • Users - logs of all user activity including user creates/deletes, password resets, role changes

    Sample Users Logs
    2020-06-17T12:44:19.526-06:00 2020-06-17 18:44:19.5262|INFO|Users|Password changed for user 'admin'.
    2020-06-17T20:06:32.240-06:00 2020-06-18 02:06:32.2403|INFO|Users|User 'aaron' created.
    2020-06-17T23:57:25.905-06:00 2020-06-18 05:57:25.9051|INFO|Users|User 'ed' created.
    2020-06-17T23:58:41.204-06:00 2020-06-18 05:58:41.2038|INFO|Users|Password changed for user 'ed'.
    2020-06-17T23:58:58.252-06:00 2020-06-18 05:58:58.2527|INFO|Users|Submitted forgot password request for ed
    2020-06-18T00:00:17.405-06:00 2020-06-18 06:00:17.4055|INFO|Users|Password reset for user 'ed'.
    

Log groups for the Agent:

  • ScanConfig - scan results for clean files

    Sample ScanConfig Logs
    2020-08-24T15:24:35.634-06:00 2020-08-24 21:24:35.6329|INFO|ScanConfig|
    {
        "objectTagKeys": {
            "result": "scan-result",
            "dateScanned": "date-scanned",
            "virusName": "virus-name",
            "virusUploadedBy": "uploaded-by",
            "errorMessage": "message"
        },
        "quarantine": {
            "action": "Move",
            "moveBucketPrefix": "cloudstoragesecquarantine-pk913wa"
        },
        "whitelist": {},
        "blacklist": {}
    }
    
  • ScanResults - scan results for error or unscannable files

    Sample ScanResults Logs

    ScanResults Streams Infected

    2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|{"guid":"e132dc70-4582-476a-bb52-c57425c9792e","dateScanned":"2020-08-24T21:15:32.7952943Z","bucketName":"demo-destination-bucket","key":"virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip","scanResult":"Infected","actionTaken":"Move","detectedVirus":"Win.Test.EICAR_HDB-1","virusUploadedBy":"AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer","errorMessage":"","fileExists":true,"movedTo":"cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
    
    2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|
    {
        "guid": "e132dc70-4582-476a-bb52-c57425c9792e",
        "dateScanned": "2020-08-24T21:15:32.7952943Z",
        "bucketName": "demo-destination-bucket",
        "key": "virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip",
        "scanResult": "Infected",
        "actionTaken": "Move",
        "detectedVirus": "Win.Test.EICAR_HDB-1",
        "virusUploadedBy": "AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer",
        "errorMessage": "",
        "fileExists": true,
        "movedTo": "cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1",
        "region": "us-east-1",
        "accountId": "7xxxxxxxxxxx8"
    }
    
    Clean
    2020-08-24T15:15:33.243-06:00 2020-08-24 21:15:33.2432|INFO|CleanScanResults|{"guid":"5cab2514-5982-4323-bdbc-77540dca973d","dateScanned":"2020-08-24T21:15:33.186175Z","bucketName":"demo-destination-bucket","key":"1mb/xglRNavTNgA67qim_temp_1mb_file94857.txt","scanResult":"Clean","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
    
    2020-08-24T15:15:33.344-06:00 2020-08-24 21:15:33.3444|INFO|CleanScanResults|
    {
        "guid": "b589b129-ac54-493c-886c-30016899f3b9",
        "dateScanned": "2020-08-24T21:15:33.2737108Z",
        "bucketName": "demo-destination-bucket",
        "key": "1mb/xRP72vFa1Ays2Qr9_temp_1mb_file94075.txt",
        "scanResult": "Clean",
        "actionTaken": "None",
        "detectedVirus": "",
        "virusUploadedBy": "",
        "errorMessage": "",
        "fileExists": true,
        "movedTo": "",
        "region": "us-east-1",
        "accountId": "7xxxxxxxxxxx8"
    }
    
    Error
    2020-08-24T15:15:00.132-06:00 2020-08-24 21:15:00.1314|INFO|ErrorScanResults|{"guid":"5806ced2-688a-45d0-a2cb-71717176e66e","dateScanned":"2020-08-24T21:14:59.6058615Z","bucketName":"webinar-other-account-bucket-2","key":"ConsoleCloudFormationTemplate.yaml","scanResult":"Error","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"Unable to access the remote account.","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx7"}
    
    2020-08-24T15:15:00.206-06:00 2020-08-24 21:15:00.2055|INFO|ErrorScanResults|
    {
        "guid": "c95dfbb1-2853-49e1-ace9-c2ae05bbf32a",
        "dateScanned": "2020-08-24T21:14:59.6058615Z",
        "bucketName": "webinar-other-account-bucket-2",
        "key": "ConsoleCloudFormationTemplate.yaml",
        "scanResult": "Error",
        "actionTaken": "None",
        "detectedVirus": "",
        "virusUploadedBy": "",
        "errorMessage": "Unable to access the remote account.",
        "fileExists": true,
        "movedTo": "",
        "region": "us-east-1",
        "accountId": "7xxxxxxxxxx7"
    }
    

  • ScanStatistics - every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.

    Sample ScanStatistics Logs
    2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
    {
        "bucketName": "preview-destination-bucket",
        "accountId": "7xxxxxxxxxx8",
        "numFilesScanned": 98,
        "numCleanFiles": 95,
        "numInfectedFiles": 3,
        "numErrors": 0,
        "totalBytesScanned": 9500560
    }
    
  • SystemEvents - logs of general Agent system information and errors

    Sample SystemEvents Logs
    2020-08-24T15:24:35.368-06:00 2020-08-24 21:24:35.3568|INFO|SystemEvents|{"event":"Scanner Started","details":"Scanner is online and able to process files. ClamAV 0.102.3/25909/Mon Aug 24 13:26:24 2020","instanceId":"arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e","eventDate":"2020-08-24T21:24:35.2518636Z"}
    
    2020-08-24T15:28:09.355-06:00 2020-08-24 21:28:09.3554|INFO|SystemEvents|
    {
        "event": "Scanner Stopped",
        "details": "Scanner is going offline.",
        "instanceId": "arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e",
        "eventDate": "2020-08-24T21:28:09.3554279Z"
    }
    

IAM Permissions Review

We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a least privilege model wherever possible. There are a few instances where we have assigned * when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.

Please review and Contact Us if you have any questions we can clear up for you.

* application-autoscaling
    * PutScalingPolicy
        * For attaching auto scaling policies to the Agent services
    * RegisterScalableTarget
        * For allowing Agent services to be scalable
* aws-marketplace
    * MeterUsage
        * For submitting application data usage
* cloudwatch
    * GetMetricStatistics
        * For getting bucket size information
* ec2
    * CreateSecurityGroup
        * For creating a security group for the Agent services
    * DescribeNetworkInterfaces
        * For getting the IP of the new Console after an update has been applied
    * DescribeSubnets
        * For getting the list of subnets for Agent service configuration
    * DescribeVpcs
        * For getting the list of VPCs for Agent service configuration
* ecs
    * CreateCluster
        * For creating clusters in regions other than the region the console is in, for Agent services in those regions
    * DescribeTaskDefinition
        * For checking the current version of the Console and Agents
    * DescribeTasks
        * For getting the details of a new console task while applying updates
    * ListTasks
        * For getting the list of running console tasks while applying updates
    * RegisterTaskDefinition
        * For creating new Agent services and applying updates to the Console and Agents
* logs (all of the below are needed for creating and monitoring cloudwatch logs)
    * CreateLogStream
    * DescribeLogGroups
    * DescribeLogStreams
    * GetLogEvents
    * GetLogRecord
    * GetQueryResults
    * PutLogEvents
    * StartQuery
    * StopQuery
* s3
    * CreateBucket
        * For creating a quarantine bucket in each region that has protected buckets
    * GetBucketAcl
        * For checking if a bucket is public
    * GetBucketLocation
        * For finding the region of the bucket
    * GetBucketNotification
        * For detecting events attached to the bucket
    * GetBucketPolicy
        * For checking if a bucket is public
    * GetBucketPolicyStatus
        * For checking if a bucket is public
    * GetObjectAcl
        * For checking if objects are public
    * ListAllMyBuckets
        * For listing buckets in the Console
    * ListBucket
        * For identifying files to scan
    * PutBucketAcl
        * For making buckets non-public
    * PutBucketNotification
        * For setting events on buckets to enable protection
    * PutBucketPolicy
        * For making buckets non-public
    * PutBucketPublicAccessBlock
        * For making buckets non-public
    * PutObjectAcl
        * For making objects non-public
* sns
    * ListSubscriptions
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * ListSubscriptionsByTopic
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * ListTopics
        * For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
    * Subscribe
        * For subscribing the CloudStorageSec SQS Queue to a SNS Topic
    * Unsubscribe
        * For unsubscribing the CloudStorageSec SQS Queue from a SNS Topic
* ssm
    * CreateDocument
        * For creating the initial AppConfig document for CloudStorageSec Agents
    * ListDocuments
        * For creating the initial AppConfig document for CloudStorageSec Agents
* appconfig
    * CreateConfigurationProfile
        * For one-time creation of Configuration Profile for CloudStorageSec Agents
    * ListConfigurationProfiles
        * For retreiving the Configuration Profile ID upon Console startup
    * StartDeployment
        * For deploying new version of Agent configuration
* cloudwatch
    * PutMetricAlarm
        * For creating Agent autoscaling alarm based on SQS queue size
* dynamodb (all of the below are needed for various dynamodb operations on CloudStorageSec tables)
    * DeleteItem
    * DescribeTable
    * GetItem
    * PutItem
    * Query
    * Scan
    * UpdateItem
* ecr
    * ListImages
        * For checking if there are new versions of the Console or Agent available
* ecs
    * CreateService
        * For creating the Agent service in a region that did not previously have any protected buckets
    * DescribeClusters
        * For checking if a cluster for Agents already exists in a given region
    * DescribeServices
        * For checking if the Agent service already exists in a given cluster
    * UpdateService
        * For updating the Console or Agent service(s) to point at a new application version
* iam
    * PassRole
        * For assigning the appropriate role to the created AppConfig Document
* sns
    * AddPermission
        * For allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
    * CreateTopic
        * For creating the CloudStorageSec SNS Topic
    * SetTopicAttributes
        * For attaching the policy allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* sqs
    * CreateQueue
        * For creating the CloudStorageSec SQS Queue
    * GetQueueAttributes
        * For getting the ARN and current Policy of the CloudStorageSec SQS Queue
    * SendMessage
        * For adding messages to the CloudStorageSec SQS Queue
    * SendMessageBatch
        * For batch adding messages to the CloudStorageSec SQS Queue 
    * SetQueueAttributes
        * For setting the Policy
* ssm (all of the below are for updating the Agent config document)
    * DescribeDocument
    * GetDocument
    * UpdateDocument

* appconfig (all of the below are for requesting an Agent config deployment)
    * ListApplications
    * ListDeploymentStrategies
* s3
    * DeleteObject
        * For deleting infected objects
    * GetObject
        * For getting objects to scan
    * GetObjectTagging
        * For getting current tags of an object (needed when moving objects to quarantine)
    * ListBucket
        * For listing objects in a bucket
    * PutObject
        * For copying object to quarantine
    * PutObjectAcl
        * For copying object ACLs to quarantine
    * PutObjectTagging
        * For tagging objects with scan results (and when moving an object to quarantine)
* ssm
    * ListDocuments
        * For requesting an Agent config deployment
* appconfig (the below are for receiving Agent configuration)
    * GetApplication
    * GetConfiguration
    * GetConfigurationProfile
    * GetDeploymentStrategy
    * GetEnvironment
    * ListConfigurationProfiles
    * ListDeployments
    * ListEnvironments
* dynamodb (the below are for submitting agent scan data into the Agent tables for the console)
    * DescribeTable
    * PutItem
    * UpdateItem
* logs (the below are needed for creating cloudwatch logs)
    * CreateLogStream
    * DescribeLogGroups
    * PutLogEvents
* sqs (the below are for processing the CloudStorageSec SQS queue)
    * DeleteMessage
    * GetQueueAttributes
    * ReceiveMessage
* ssm
    * GetDocument
        * For accessing the app config document for Agent configuration

Scan Engine

Antivirus for Amazon S3 has been built in such a way that the underlying scan engine can be exchanged with other scan engines as needed or desired. The engine included is provided by ClamAV. ClamAV is a well known, widely used open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Antivirus for Amazon S3 has the ability to use multiple scanning engines configured serially1 to ensure the highest level of efficacy and protection. Antivirus for Amazon S3 updates virus definitions every 6 hours while the scan engine in use and with each reboot / new spin up.

If you are a scan engine vendor and would like to partner with us to get your engine integrated in, please Contact Us. If you are a customer who would prefer another engine, please let us know as well.


  1. Coming soon! 


Last update: December 1, 2020