# Logging and Permissions
## Platform Services
While many services are used ([ECS Fargate](https://aws.amazon.com/fargate/), [App Config](https://aws.amazon.com/about-aws/whats-new/2019/11/simplify-application-configuration-with-aws-appconfig/), [CloudWatch](https://aws.amazon.com/cloudwatch/), [CloudFormation](https://aws.amazon.com/cloudformation/), [DynamoDB](https://aws.amazon.com/dynamodb/), [SNS](https://aws.amazon.com/sns/), [SQS](https://aws.amazon.com/sqs/), [IAM](https://aws.amazon.com/iam/)) to deliver the `Antivirus for Amazon S3` solution, two will be called out here. CloudWatch and IAM are leveraged for logging and permissions respectively. These are the usual questions we get from customers:
1. How do I check the logs?
2. What are you doing behind the scenes (permissions wise)?
We wanted to make sure you had those bases covered with the information below.
### CloudWatch Log Group Overview
#### Log groups for the Console
Console.AgentConfig
Logs of changes to agent configuration performed through the console.
```
2020-08-19T23:01:08.246-06:00 2020-08-20 05:01:08.2466|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'ap-northeast-1': {"region":"ap-northeast-1","vpcId":"vpc-6902080e","subnets":[{"subnetId":"subnet-1673ac3d","availabilityZone":"ap-northeast-1d","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-bd66b2f5","availabilityZone":"ap-northeast-1a","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.322-06:00 2020-08-20 05:01:08.3225|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'eu-west-3': {"region":"eu-west-3","vpcId":"vpc-e9677880","subnets":[{"subnetId":"subnet-232b114a","availabilityZone":"eu-west-3a","cidrBlock":"172.31.0.0/20"},{"subnetId":"subnet-266a0c6b","availabilityZone":"eu-west-3c","cidrBlock":"172.31.32.0/20"}]}
2020-08-19T23:01:08.409-06:00 2020-08-20 05:01:08.4092|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-1': {"region":"us-west-1","vpcId":"vpc-1c55a17a","subnets":[{"subnetId":"subnet-b8c563de","availabilityZone":"us-west-1b","cidrBlock":"172.31.16.0/20"},{"subnetId":"subnet-3c59aa66","availabilityZone":"us-west-1a","cidrBlock":"172.31.0.0/20"}]}
2020-08-19T23:01:08.490-06:00 2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2':
{
"region": "us-west-2",
"vpcId": "vpc-2f007457",
"subnets": [
{
"subnetId": "subnet-f6f91abc",
"availabilityZone": "us-west-2a",
"cidrBlock": "172.31.32.0/20"
},
{
"subnetId": "subnet-f0408688",
"availabilityZone": "us-west-2b",
"cidrBlock": "172.31.16.0/20"
}
]
}
2020-08-20 05:01:08.4899|INFO|AgentConfig|Updated Configured Subnets for Agents in region 'us-west-2': {"region":"us-west-2","vpcId":"vpc-2f007457","subnets":[{"subnetId":"subnet-f6f91abc","availabilityZone":"us-west-2a","cidrBlock":"172.31.32.0/20"},{"subnetId":"subnet-f0408688","availabilityZone":"us-west-2b","cidrBlock":"172.31.16.0/20"}]}
```
Console.AuditLogging
Logs audit trail entries for security-relevant user actions in the Console.
```
2026-03-25 21:29:21.3817|INFO|AuditLogging|Event: UserSignIn
User: admin
Details: User 'admin' signed in with password
```
Console.Buckets
Logs of changes to bucket protection status and any errors that may occur while trying to turn on/off buckets.
```
2020-08-13T10:31:12.309-06:00 2020-08-13 16:31:12.3094|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:39:55.290-06:00 2020-08-13 16:39:55.2901|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T10:47:56.726-06:00 2020-08-13 16:47:56.7262|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-13T10:59:48.397-06:00 2020-08-13 16:59:48.3969|INFO|Buckets|Turned off protection for bucket 'css-webinar-new-files'
2020-08-13T11:36:53.512-06:00 2020-08-13 17:36:53.5125|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket'
2020-08-13T11:36:56.921-06:00 2020-08-13 17:36:56.9212|INFO|Buckets|Turned on protection for bucket 'webinar-other-account-bucket-2'
2020-08-13T12:26:51.700-06:00 2020-08-13 18:26:51.7006|INFO|Buckets|Turned on protection for bucket 'css-webinar-existing-files'
2020-08-13T12:27:18.104-06:00 2020-08-13 18:27:18.1044|INFO|Buckets|Turned on protection for bucket 'css-webinar-new-files'
2020-08-17T15:53:25.588-06:00 2020-08-17 21:53:25.5884|INFO|Buckets|Turned off protection for bucket '100kb-bucket'
2020-08-17T15:53:25.755-06:00 2020-08-17 21:53:25.7552|INFO|Buckets|Turned off protection for bucket 'demo-destination-bucket'
```
Console.BlobContainers
Logs Azure Blob Container discovery and management operations.
```
2026-04-13 19:21:42.5627|INFO|BlobContainers|Starting Blob Containers collection
2026-04-13 19:22:04.0511|INFO|BlobContainers|Finished Blob Containers collection. Total time (ms): 21488, Total containers collected: 8. Deleted: 0
2026-04-13 19:51:42.3017|INFO|BlobContainers|Starting Blob Containers collection
2026-04-13 19:52:02.6331|INFO|BlobContainers|Finished Blob Containers collection. Total time (ms): 20331, Total containers collected: 8. Deleted: 0
```
Console.EbsVolumes
Logs EBS volume scanning configuration and discovery.
```
2026-04-13 19:54:34.6136|INFO|EbsVolumes|Updated EBS volume details for account
2026-04-13 19:54:35.1187|ERROR|EbsVolumes|System.Net.Http.HttpRequestException: No route to host (ec2.me-south-1.amazonaws.com:443)
---> System.Net.Sockets.SocketException (113): No route to host
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
```
Console.EfsVolumes
Logs EFS volume scanning configuration and discovery.
```
2026-04-13 20:59:26.7799|INFO|EfsVolumes|Updated EFS volume details for account
2026-04-13 21:01:05.8560|ERROR|EfsVolumes|Timed out while trying to describe EFS volumes in 'me-south-1'|System.TimeoutException: A task was canceled.
---> System.Threading.Tasks.TaskCanceledException: A task was canceled.
at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
```
Console.EcsConfig
Logs of actions taken to enable or disable Agents in a region. This includes creation of clusters, task definitions, services, sns topics, sqs queues, quarantine buckets, and autoscaling policies.
```
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:45.296-06:00 2020-08-21 19:19:45.2960|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Setting Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:45.331-06:00 2020-08-21 19:19:45.3307|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.136-06:00 2020-08-21 19:19:46.1364|INFO|EcsConfig|Set Large Queue threshold to '1' in ap-northeast-1
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Setting Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:46.195-06:00 2020-08-21 19:19:46.1947|INFO|EcsConfig|Putting a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Put a new metric alarm for CloudStorageSecLargeQueue-pk913wa.
2020-08-21T13:19:46.556-06:00 2020-08-21 19:19:46.5567|INFO|EcsConfig|Set Large Queue threshold to '1' in us-west-2
2020-08-21T13:19:58.631-06:00 2020-08-21 19:19:58.6311|INFO|EcsConfig|Setting Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:19:58.908-06:00 2020-08-21 19:19:58.9080|INFO|EcsConfig|Set Min and Max agents to '0' and '3' respectively in us-east-1
2020-08-21T13:20:09.553-06:00 2020-08-21 19:20:09.5536|INFO|EcsConfig|Setting Min and Max agents to '0' and '1' respectively in us-east-1
2020-08-21T13:20:09.826-06:00 2020-08-21 19:20:09.8262|INFO|EcsConfig|Set Min and Max agents to '0' and '1' respectively in us-east-1
```
Console.Error
Logs of when activities and actions intitiated by the Console encounter an error.
```
2025-04-18 19:54:25.5953|ERROR|Buckets|Error trying to track newly discovered bucket 'blocked-bucket' in account '123456789/Primary'|Amazon.S3.AmazonS3Exception: User: arn:aws:sts::123456789:assumed-role/CloudStorageSecConsoleRole-abcdefg/3558581af7224d5289fbc82a18ec0444 is not authorized to perform: s3:GetBucketLocation on resource: "arn:aws:s3:::blocked-bucket" with an explicit deny in a resource-based policy
```
Console.FsxVolumes
Logs of when activities and actions intitiated by the Console encounter an error.
```
2025-04-18 19:54:25.5953|ERROR|Buckets|Error trying to track newly discovered bucket 'blocked-bucket' in account '123456789/Primary'|Amazon.S3.AmazonS3Exception: User: arn:aws:sts::123456789:assumed-role/CloudStorageSecConsoleRole-abcdefg/3558581af7224d5289fbc82a18ec0444 is not authorized to perform: s3:GetBucketLocation on resource: "arn:aws:s3:::blocked-bucket" with an explicit deny in a resource-based policy
```
Console.GcpBuckets
Logs GCP bucket disvovery and management operations.
```
2026-04-08 05:20:25.4175|INFO|GcpBuckets|Starting GcpBucketsDiscoveryService
```
Console.Metering
Logs of when metering is submitted, and any errors that may occur during metering.
```
2020-08-21T14:03:01.665-06:00 2020-08-21 20:03:01.6647|INFO|Metering|Metering submitted at 08/21/2020 20:03:01 for Dimension FreeTrial and Quantity 43
2020-08-21T15:03:00.950-06:00 2020-08-21 21:03:00.9503|INFO|Metering|Metering submitted at 08/21/2020 21:03:00 for Dimension FreeTrial and Quantity 43
2020-08-21T16:03:00.108-06:00 2020-08-21 22:03:00.1084|INFO|Metering|Metering submitted at 08/21/2020 22:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T17:03:00.290-06:00 2020-08-21 23:03:00.2903|INFO|Metering|Metering submitted at 08/21/2020 23:03:00 for Dimension FreeTrial and Quantity 44
2020-08-21T18:03:00.539-06:00 2020-08-22 00:03:00.5393|INFO|Metering|Metering submitted at 08/22/2020 00:03:00 for Dimension FreeTrial and Quantity 1
2020-08-21T19:03:00.782-06:00 2020-08-22 01:03:00.7815|INFO|Metering|Metering submitted at 08/22/2020 01:03:00 for Dimension GoFwdTier1 and Quantity 0
```
Console.Metrics
Logs of when cache for Console dashboard chart data is updated.
```
2020-08-21T13:19:01.171-06:00 2020-08-21 19:19:01.1714|INFO|Metrics|Getting chart values for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:08.774-06:00 2020-08-21 19:19:08.7737|INFO|Metrics|Updated cache for time window: 08/20/2020 19:19:01-08/21/2020 19:19:01
2020-08-21T13:19:09.932-06:00 2020-08-21 19:19:09.9316|INFO|Metrics|Getting chart values for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.971-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Updated cache for time window: 08/21/2020 18:19:09-08/21/2020 19:19:09
2020-08-21T13:19:09.972-06:00 2020-08-21 19:19:09.9708|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.566-06:00 2020-08-21 19:19:10.5661|INFO|Metrics|Getting chart values for time window: 08/14/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.678-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Updated cache for time window: 08/14/2020 19:19:09-08/21/2020 19:19:09
2020-08-21T13:19:10.679-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:10.680-06:00 2020-08-21 19:19:10.6781|INFO|Metrics|Getting chart values for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
2020-08-21T13:19:11.355-06:00 2020-08-21 19:19:11.3548|INFO|Metrics|Updated cache for time window: 07/22/2020 19:19:10-08/21/2020 19:19:10
```
Console.Notifications
Logs notification configuration changes and dispatch events from the Console.
```
2025-09-19 00:58:09.9152|ERROR|Notifications|Error trying to get security hub findings: Amazon.SecurityHub.Model.InvalidInputException: InvalidInputException: Invalid NextToken: Input Query has changed
```
Console.RetroScan
Logs of when retro scanning starts and finishes per bucket as well as when queue entries are added.
```
2020-08-13T11:37:05.123-06:00 2020-08-13 17:37:05.1233|INFO|RetroScan|Starting to crawl bucket 'webinar-other-account-bucket-2' in region 'us-east-1' for account '7xxxxxxxxxx7'
2020-08-13T11:37:05.187-06:00 2020-08-13 17:37:05.1871|INFO|RetroScan|Fetching next set of objects from 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T11:37:05.247-06:00 2020-08-13 17:37:05.2463|INFO|RetroScan|Finished crawling bucket 'webinar-other-account-bucket-2' in region 'us-east-1'
2020-08-13T12:26:59.689-06:00 2020-08-13 18:26:59.6883|INFO|RetroScan|Starting to crawl bucket 'css-webinar-existing-files' in region 'us-east-1' for account '7xxxxxxxxxx8'
2020-08-13T12:26:59.712-06:00 2020-08-13 18:26:59.7125|INFO|RetroScan|Fetching next set of objects from 'css-webinar-existing-files' in region 'us-east-1'
2020-08-13T12:26:59.774-06:00 2020-08-13 18:26:59.7742|INFO|RetroScan|Sending message to queue 'https://sqs.us-east-1.amazonaws.com/7xxxxxxxxxx8/CloudStorageSecRetroQueu
```
Console.ScheduledScans
Logs scheduled AV scan job configuration and trigger events.
```
2026-04-13 06:00:00.0011|INFO|ScheduledScans|Running schedule 'Daily Scan of Files' now.
2026-04-13 06:00:00.0011|INFO|ScheduledScans|Running scheduling 'Daily Scan of Files'
2026-04-13 06:00:00.0484|INFO|ScheduledScans|Refreshing resources on schedule 'Daily Scan of Files'
```
Console.ScheduledClassifications
Logs scheduled Classification scan job configuration and trigger events.
```
2026-04-11 23:59:59.9986|INFO|ScheduledClassifications|Running schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'
2026-04-12 00:02:06.9281|INFO|ScheduledClassifications|Run schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'
2026-04-12 00:02:08.1615|INFO|ScheduledClassifications|Saving modified schedule '2dca14ac-b10e-44ef-b3b4-f8598ae8d354 - One time scan'
```
Console.StorageAssessment
Logs storage assessment orchestration and result processing from the Console.
```
2026-03-11 19:18:18.2443|INFO|StorageAssessment|y6uajej - dontscanme-lfs-on-fargate-test-eu-1 has had inventory config deleted
2026-03-11 19:18:18.5769|INFO|StorageAssessment|y6uajej - dcapiscanningresults has had inventory config deleted
2026-03-11 19:18:19.0328|INFO|StorageAssessment|y6uajej - telavivlargefiles has had inventory config deleted
2026-03-11 19:18:19.4330|INFO|StorageAssessment|y6uajej - css-bucket-stockholm-01 has had inventory config deleted
```
Console.Subdomain
Logs of each time the console is assigned a new IP and when the subdomain is renamed.
```
2020-08-17T13:03:28.291-06:00 2020-08-17 19:03:28.2911|INFO|Subdomain|Updating IP address for console subdomain
2020-08-17T13:03:32.106-06:00 2020-08-17 19:03:32.1056|INFO|Subdomain|Updated IP address for console subdomain
2020-08-17T13:16:49.080-06:00 2020-08-17 19:16:49.0797|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:13.256-06:00 2020-08-17 19:26:13.2559|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:26:20.703-06:00 2020-08-17 19:26:20.7027|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:07.726-06:00 2020-08-17 19:28:07.7258|INFO|Subdomain|Checking if 'preview' is available.
2020-08-17T13:28:10.089-06:00 2020-08-17 19:28:10.0888|INFO|Subdomain|Setting console subdomain to 'preview'
2020-08-17T13:28:13.710-06:00 2020-08-17 19:28:13.7098|INFO|Subdomain|Set console subdomain to 'preview'
```
Console.System
Logs of general Console system information and errors and the return of the entitlement verification.
```
2020-08-21T13:25:58.374-06:00 2020-08-21 19:25:58.3713|INFO|System|Entitlement Verified.
```
Console.Updates
Logs of what updates are available and when an update is being performed.
```
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecAgentService-pk913wa
2020-08-21T13:19:00.532-06:00 2020-08-21 19:19:00.5309|INFO|Updates|CloudStorageSecAgentService-pk913wa is version v3.01.003
2020-08-21T13:19:00.533-06:00 2020-08-21 19:19:00.5309|INFO|Updates|Getting version of CloudStorageSecConsoleService-pk913wa
2020-08-21T13:19:00.585-06:00 2020-08-21 19:19:00.5847|INFO|Updates|CloudStorageSecConsoleService-pk913wa is version v3.02.005
2020-08-21T13:19:00.586-06:00 2020-08-21 19:19:00.5865|INFO|Updates|Looking for minor or patch update of CloudStorageSecAgentService-pk913wa greater than v3.01.003
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.631-06:00 2020-08-21 19:19:00.6313|INFO|Updates|Looking for minor or patch update of CloudStorageSecConsoleService-pk913wa greater than v3.02.005
2020-08-21T13:19:00.664-06:00 2020-08-21 19:19:00.6644|INFO|Updates|No minor or patch update available
2020-08-21T13:19:00.665-06:00 2020-08-21 19:19:00.6644|INFO|Updates|Looking for major update greater than v3.02.005
2020-08-21T13:19:00.685-06:00 2020-08-21 19:19:00.6853|INFO|Updates|No major update available
```
Console.Users
Logs of all user activity including user creates/deletes, password resets, role changes.
```
2020-06-17T12:44:19.526-06:00 2020-06-17 18:44:19.5262|INFO|Users|Password changed for user 'admin'.
2020-06-17T20:06:32.240-06:00 2020-06-18 02:06:32.2403|INFO|Users|User 'aaron' created.
2020-06-17T23:57:25.905-06:00 2020-06-18 05:57:25.9051|INFO|Users|User 'ed' created.
2020-06-17T23:58:41.204-06:00 2020-06-18 05:58:41.2038|INFO|Users|Password changed for user 'ed'.
2020-06-17T23:58:58.252-06:00 2020-06-18 05:58:58.2527|INFO|Users|Submitted forgot password request for ed
2020-06-18T00:00:17.405-06:00 2020-06-18 06:00:17.4055|INFO|Users|Password reset for user 'ed'.
```
#### Log groups for the Agent
Agent.ClassificationResults
Records the outcome of each individual data classification scan, split into four streams: matching, non-matching, error, and unclassifiable.
```
2026-01-31 01:09:22.3268|INFO|ClassifyDiscoveredFilesJob_2026-01-31T00:01:56.7619987Z|NonMatchingClassificationResults|
{
"date": "2026-01-31",
"guid": "c909804b-0348-46f2-b6be-8ad248c18d13",
"dateTime": "2026-01-31T01:09:22.2996548Z",
"scanningAgentId": null,
"accountId": "",
"region": "us-east-1",
"container": "classification-scaling",
"objectPath": "740_SourceCodeExample.docx",
"processedSize": 5616,
"innerFilePath": null,
"textMatchingSet": [],
"error": null,
"resultType": "NonMatching",
"isUnscannable": false,
"resultKind": "NotApplicable",
"result": 0,
"accountIdResultType": "#0",
"dateScanned": "2026-01-31T01:09:22.2996548Z",
"message": [
null
],
"trueFileType": "Unknown",
"isMatch": false,
"isError": false
}
```
Agent.ClassificationStatistics
Logs aggregated per-bucket data classification object and byte counts, flushed on a configurable checkpoint interval.
```
2026-01-31 01:03:47.6242|INFO|ClassifyDiscoveredFilesJob_2026-01-31T00:01:56.7619987Z|ClassificationStatistics|
{
"bucketName": "classification-scaling",
"date": "2026-01-31T00:00:00Z",
"accountId": "",
"appId": "",
"numObjectsClassified": 5545,
"numObjectsClassifiedMatching": 2075,
"numObjectsClassifiedNonMatching": 3470,
"numObjectsClassifiedError": 0,
"numFilesClassifiedMatching": 2765,
"numFilesClassifiedNonMatching": 4848,
"numFilesClassifiedError": 0,
"numObjectsClassifiedUnclassifiable": 0,
"totalBytesClassified": 2957222491
}
```
Agent.Jobs
Logs job lifecycle events: creation, config, progress, and completion across both AV and Classification jobs.
```
2026-04-13 21:14:55.1873|INFO|ScanQueueJob_2026-04-13T21:12:46.5062498Z|Jobs|Gathering Remote Store Agent Config
```
Agent.Notifications
Logs outbound notifications sent to SNS topics, webhooks, and SecurityHub.
```
2025-10-20 07:49:18.3383|ERROR||Notifications|Unable to refresh subscriptions cache. Amazon.SimpleNotificationService.Model.InternalErrorException: Request could not be completed
```
Agent.ScanConfig
Scan settings for the agent.
Settings include, but are not limited to:
* Tags for the objects scanned
* Actions taken on objects
* Scan and skip lists
* Bucket handling configuration
* Classification Rules configuration for DLP
Note that the following snippet below has been shortened for brevity.
```
2024-07-23 18:07:31.9485|INFO|ScanConfig|
{
"scanTaggingEnabled": true,
"scanTagsExcluded": [],
"classificationTaggingEnabled": true,
"classificationTagsExcluded": [],
"objectTagKeys": {
"result": "scan-result",
"dateScanned": "date-scanned",
"virusName": "virus-name",
"virusUploadedBy": "uploaded-by",
"errorMessage": "message",
"classificationResult": "classification-result",
"dateClassified": "date-classified",
"classificationMatches": "classification-matches",
"classificationErrorMessage": "classification-message"
},
"quarantine": {
"action": "Move",
"moveBucketPrefix": "cloudstoragesecquarantine-aocxfe6"
},
"scanList": {},
"skipList": {},
"classifyList": {},
"classifySkipList": {},
"avEventProtectedBuckets": [
"my-bucket"
],
"classificationCustomRulesLastUpdated": "0001-01-01T00:00:00.0000000Z",
"classificationRuleSets": {
"canadian health service": [
"PersonalhealthnumberBCCanada",
"PersonalhealthnumberBCnearDOBCanada"
],
"document classification": [
"ConfidentialdocumentmarkersAustralia",
"ConfidentialdocumentmarkersBelgium"
]
},
"dcEventBucketRuleSets": {},
"dcScheduledBucketRuleSets": {},
"efsClassificationRuleSets": {},
"ebsClassificationRuleSets": {},
"fsxClassificationRuleSets": {},
"twoBucketConfig": {
"regions": {},
"buckets": {
"my-bucket": {
"destinationBucket": "destination-bucket"
}
}
}
}
```
Agent.ScanResults
Scan results for clean, infected, error, or unscannable files.
Infected:
```
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|{"guid":"e132dc70-4582-476a-bb52-c57425c9792e","dateScanned":"2020-08-24T21:15:32.7952943Z","bucketName":"demo-destination-bucket","key":"virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip","scanResult":"Infected","actionTaken":"Move","detectedVirus":"Win.Test.EICAR_HDB-1","virusUploadedBy":"AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer","errorMessage":"","fileExists":true,"movedTo":"cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.067-06:00 2020-08-24 21:15:33.0672|INFO|InfectedScanResults|
{
"guid": "e132dc70-4582-476a-bb52-c57425c9792e",
"dateScanned": "2020-08-24T21:15:32.7952943Z",
"bucketName": "demo-destination-bucket",
"key": "virus/7hXNy9okVjpszoFP_virus_388_eicarcom2.zip",
"scanResult": "Infected",
"actionTaken": "Move",
"detectedVirus": "Win.Test.EICAR_HDB-1",
"virusUploadedBy": "AWS:AROA3K5IVNMVEDVQSN5PM:demo-bucket-transfer",
"errorMessage": "",
"fileExists": true,
"movedTo": "cloudstoragesecquarantine-y6uajej-7xxxxxxxxxxx8-us-east-1",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
```
Clean:
```
2020-08-24T15:15:33.243-06:00 2020-08-24 21:15:33.2432|INFO|CleanScanResults|{"guid":"5cab2514-5982-4323-bdbc-77540dca973d","dateScanned":"2020-08-24T21:15:33.186175Z","bucketName":"demo-destination-bucket","key":"1mb/xglRNavTNgA67qim_temp_1mb_file94857.txt","scanResult":"Clean","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx8"}
2020-08-24T15:15:33.344-06:00 2020-08-24 21:15:33.3444|INFO|CleanScanResults|
{
"guid": "b589b129-ac54-493c-886c-30016899f3b9",
"dateScanned": "2020-08-24T21:15:33.2737108Z",
"bucketName": "demo-destination-bucket",
"key": "1mb/xRP72vFa1Ays2Qr9_temp_1mb_file94075.txt",
"scanResult": "Clean",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxxx8"
}
```
Error:
```
2020-08-24T15:15:00.132-06:00 2020-08-24 21:15:00.1314|INFO|ErrorScanResults|{"guid":"5806ced2-688a-45d0-a2cb-71717176e66e","dateScanned":"2020-08-24T21:14:59.6058615Z","bucketName":"webinar-other-account-bucket-2","key":"ConsoleCloudFormationTemplate.yaml","scanResult":"Error","actionTaken":"None","detectedVirus":"","virusUploadedBy":"","errorMessage":"Unable to access the remote account.","fileExists":true,"movedTo":"","region":"us-east-1","accountId":"7xxxxxxxxxxx7"}
2020-08-24T15:15:00.206-06:00 2020-08-24 21:15:00.2055|INFO|ErrorScanResults|
{
"guid": "c95dfbb1-2853-49e1-ace9-c2ae05bbf32a",
"dateScanned": "2020-08-24T21:14:59.6058615Z",
"bucketName": "webinar-other-account-bucket-2",
"key": "ConsoleCloudFormationTemplate.yaml",
"scanResult": "Error",
"actionTaken": "None",
"detectedVirus": "",
"virusUploadedBy": "",
"errorMessage": "Unable to access the remote account.",
"fileExists": true,
"movedTo": "",
"region": "us-east-1",
"accountId": "7xxxxxxxxxx7"
}
```
Agent.ScanStatistics
Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.
```
2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
"bucketName": "preview-destination-bucket",
"accountId": "7xxxxxxxxxx8",
"numFilesScanned": 98,
"numCleanFiles": 95,
"numInfectedFiles": 3,
"numErrors": 0,
"totalBytesScanned": 9500560
}
```
Agent.StorageAssessment
Every-hour statistics of an agents activity for each bucket being monitored. These include the number of files scanned, the number of clean/infected/error files, and the total bytes scanned.
```
2020-08-24T15:47:05.224-06:00 2020-08-24 21:47:05.2239|INFO|ScanStatistics|
{
"bucketName": "preview-destination-bucket",
"accountId": "7xxxxxxxxxx8",
"numFilesScanned": 98,
"numCleanFiles": 95,
"numInfectedFiles": 3,
"numErrors": 0,
"totalBytesScanned": 9500560
}
```
Agent.SystemEvents
Logs of general Agent system information and errors.
```
2020-08-24T15:24:35.368-06:00 2020-08-24 21:24:35.3568|INFO|SystemEvents|{"event":"Scanner Started","details":"Scanner is online and able to process files. ClamAV 0.102.3/25909/Mon Aug 24 13:26:24 2020","instanceId":"arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e","eventDate":"2020-08-24T21:24:35.2518636Z"}
2020-08-24T15:28:09.355-06:00 2020-08-24 21:28:09.3554|INFO|SystemEvents|
{
"event": "Scanner Stopped",
"details": "Scanner is going offline.",
"instanceId": "arn:aws:ecs:us-east-1:779353418538:task/7965e996-d967-4d7f-be11-e05679534f2e",
"eventDate": "2020-08-24T21:28:09.3554279Z"
}
```
#### Log groups for ECS
As of version 6.06 we enable ECS logging by default. These logs will be shown in the following log groups.
For each of these log groups you will see your seven character application ID in the title of each log group as noted below by the `AppID` between the `ECS` and type of ECS service the log is for.
ECS.AppID.API
Log groups related to the ECS API Agent Service
ECS.AppID.Console
Log groups related to the ECS Console Service
ECS.AppID.AVEvent
Log groups related to the ECS AV Event Agent Service
ECS.AppID.DCEvent
Log groups related to the ECS DC Event Agent Service
ECS.AppID.LargeFile
Log groups related to the Large File scan jobs
### IAM Permissions Review
We have been able to simplify the management and delivery of the solution such that there are very few tasks the administrator is required to perform inside the AWS Console. As a result, the Console and EventAgent have a number of permissions assigned to them within their respective roles to allow them to perform the actions needed on your behalf. In all cases, we went with a `least privilege` model wherever possible. There are a few instances where we have assigned `*` when it is required. Below you will find a review of the two IAM Roles we create and assign to the Console and scanning Agents.
Please review and [Contact Us](/contact-us.md) if you have any questions we can clear up for you.
**The permission descriptions below follow the format:**
```
- system-name
- permission 1
- reason it is needed
- ...
- reason it is needed
- permission n
- reason it is needed
```
Console Roles (All Resources)
```
* application-autoscaling
* PutScalingPolicy
* For attaching auto scaling policies to the Agent services
* RegisterScalableTarget
* For allowing Agent services to be scalable
* aws-marketplace
* MeterUsage
* For submitting application data usage
* cloudwatch
* GetMetricStatistics
* For getting bucket size information
* ec2
* CreateSecurityGroup
* For creating a security group for the Agent services
* DescribeNetworkInterfaces
* For getting the IP of the new Console after an update has been applied
* DescribeSubnets
* For getting the list of subnets for Agent service configuration
* DescribeVpcs
* For getting the list of VPCs for Agent service configuration
* ecs
* CreateCluster
* For creating clusters in regions other than the region the console is in, for Agent services in those regions
* DescribeTaskDefinition
* For checking the current version of the Console and Agents
* DescribeTasks
* For getting the details of a new console task while applying updates
* ListTasks
* For getting the list of running console tasks while applying updates
* RegisterTaskDefinition
* For creating new Agent services and applying updates to the Console and Agents
* logs (all of the below are needed for creating and monitoring cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* DescribeLogStreams
* GetLogEvents
* GetLogRecord
* GetQueryResults
* PutLogEvents
* StartQuery
* StopQuery
* s3
* CreateBucket
* For creating a quarantine bucket in each region that has protected buckets
* GetBucketAcl
* For checking if a bucket is public
* GetBucketLocation
* For finding the region of the bucket
* GetBucketNotification
* For detecting events attached to the bucket
* GetBucketPolicy
* For checking if a bucket is public
* GetBucketPolicyStatus
* For checking if a bucket is public
* GetObjectAcl
* For checking if objects are public
* ListAllMyBuckets
* For listing buckets in the Console
* ListBucket
* For identifying files to scan
* PutBucketAcl
* For making buckets non-public
* PutBucketNotification
* For setting events on buckets to enable protection
* PutBucketPolicy
* For making buckets non-public
* PutBucketPublicAccessBlock
* For making buckets non-public
* PutObjectAcl
* For making objects non-public
* sns
* ListSubscriptions
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListSubscriptionsByTopic
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* ListTopics
* For unsubscribing the CloudStorageSec SQS Queue from a non CloudStorageSec SNS Topic
* Subscribe
* For subscribing the CloudStorageSec SQS Queue to a SNS Topic
* Unsubscribe
* For unsubscribing the CloudStorageSec SQS Queue from a SNS Topic
* ssm
* CreateDocument
* For creating the initial AppConfig document for CloudStorageSec Agents
* ListDocuments
* For creating the initial AppConfig document for CloudStorageSec Agents
```
Console Permissions (Targeted Resources)
```
* appconfig
* CreateConfigurationProfile
* For one-time creation of Configuration Profile for CloudStorageSec Agents
* ListConfigurationProfiles
* For retreiving the Configuration Profile ID upon Console startup
* StartDeployment
* For deploying new version of Agent configuration
* cloudwatch
* PutMetricAlarm
* For creating Agent autoscaling alarm based on SQS queue size
* dynamodb (all of the below are needed for various dynamodb operations on CloudStorageSec tables)
* DeleteItem
* DescribeTable
* GetItem
* PutItem
* Query
* Scan
* UpdateItem
* ecr
* ListImages
* For checking if there are new versions of the Console or Agent available
* ecs
* CreateService
* For creating the Agent service in a region that did not previously have any protected buckets
* DescribeClusters
* For checking if a cluster for Agents already exists in a given region
* DescribeServices
* For checking if the Agent service already exists in a given cluster
* UpdateService
* For updating the Console or Agent service(s) to point at a new application version
* iam
* PassRole
* For assigning the appropriate role to the created AppConfig Document
* sns
* AddPermission
* For allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* CreateTopic
* For creating the CloudStorageSec SNS Topic
* SetTopicAttributes
* For attaching the policy allowing S3 buckets to send messages to the CloudStorageSec SNS Topic
* sqs
* CreateQueue
* For creating the CloudStorageSec SQS Queue
* GetQueueAttributes
* For getting the ARN and current Policy of the CloudStorageSec SQS Queue
* SendMessage
* For adding messages to the CloudStorageSec SQS Queue
* SendMessageBatch
* For batch adding messages to the CloudStorageSec SQS Queue
* SetQueueAttributes
* For setting the Policy
* ssm (all of the below are for updating the Agent config document)
* DescribeDocument
* GetDocument
* UpdateDocument
```
Agent Permissions (All Resources)
```
* appconfig (all of the below are for requesting an Agent config deployment)
* ListApplications
* ListDeploymentStrategies
* s3
* DeleteObject
* For deleting infected objects
* GetObject
* For getting objects to scan
* GetObjectTagging
* For getting current tags of an object (needed when moving objects to quarantine)
* ListBucket
* For listing objects in a bucket
* PutObject
* For copying object to quarantine
* PutObjectAcl
* For copying object ACLs to quarantine
* PutObjectTagging
* For tagging objects with scan results (and when moving an object to quarantine)
* ssm
* ListDocuments
* For requesting an Agent config deployment
```
Agent Permissions (Targeted Resources)
```
* appconfig (the below are for receiving Agent configuration)
* GetApplication
* GetConfiguration
* GetConfigurationProfile
* GetDeploymentStrategy
* GetEnvironment
* ListConfigurationProfiles
* ListDeployments
* ListEnvironments
* dynamodb (the below are for submitting agent scan data into the Agent tables for the console)
* DescribeTable
* PutItem
* UpdateItem
* logs (the below are needed for creating cloudwatch logs)
* CreateLogStream
* DescribeLogGroups
* PutLogEvents
* sqs (the below are for processing the CloudStorageSec SQS queue)
* DeleteMessage
* GetQueueAttributes
* ReceiveMessage
* ssm
* GetDocument
* For accessing the app config document for Agent configuration
```
### Permissions Policies
**Console Role**
Trust Relationships
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
#### Console Role Customer Inline Policies
PoliciesCreation
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:TagPolicy",
"iam:UntagPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:ListPolicyVersions",
"iam:CreatePolicyVersion"
],
"Resource": [
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-EC2-Management-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Infrastructure-Management-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Logging-And-Monitoring-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Application-Resources-Policy",
"arn:aws:iam::{AwsAccount}:policy/CloudStorageSecConsolePolicy-i401ajc-Security-And-Access-Policy"
],
"Effect": "Allow",
"Sid": "IAMCSSPoliciesAction"
}
]
}
```
ApiLb
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllResources"
},
{
"Action": [
"elasticloadbalancing:Create*",
"elasticloadbalancing:Delete*",
"elasticloadbalancing:Modify*",
"elasticloadbalancing:*Tags",
"elasticloadbalancing:SetSubnets",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/*/*{console-appid}/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*/*{console-appid}/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*i{console-appid}/*",
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Effect": "Allow",
"Sid": "RestrictedResources"
}
]
}
```
AwsLicensing
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"license-manager:CheckoutLicense",
"license-manager:ListReceivedLicenses"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllResources"
}
]
}
```
CloudTrailLake
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudtrail:*DataStore*",
"cloudtrail:*Quer*",
"cloudtrail:*Channel*",
"cloudtrail-data:*Audit*",
"iam:ListRoles",
"iam:GetRolePolicy",
"iam:GetUser"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudTrail"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudtrail.amazonaws.com"
}
},
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "PassRole"
}
]
}
```
#### Console Role Customer Managed Policies
Application-Resources-Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:PutBucketTagging",
"s3:GetBucketTagging"
],
"Resource": [
"arn:aws:s3:::{applicaction-Bucket}",
"arn:aws:s3:::{applicaction-Bucket}/*"
],
"Effect": "Allow",
"Sid": "CloudStorageSecS3Bucket"
},
{
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:PutLifecycleConfiguration",
"s3:PutEncryptionConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectAttributes",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObjectVersionTagging",
"s3:DeleteBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": [
"arn:aws:s3:::{quarantine-Bucket}-*"
],
"Effect": "Allow",
"Sid": "CloudStorageSecS3QuarantineBucket"
},
{
"Action": [
"dynamodb:BatchWriteItem",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:DeleteTable",
"dynamodb:DescribeContinuousBackups",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTagsOfResource",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:TagResource",
"dynamodb:UntagResource",
"dynamodb:UpdateContinuousBackups",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:{Aws-Region}:{AwsAccount}:table/{appId}.*"
],
"Effect": "Allow",
"Sid": "DynamoDb"
},
{
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueueTags",
"sqs:ListQueues",
"sqs:SetQueueAttributes",
"sqs:SendMessage",
"sqs:TagQueue",
"sqs:ReceiveMessage",
"sqs:UntagQueue"
],
"Resource": [
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-DC-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-EFS-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-FSx-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecQueue-ScannedItems-{appId}*",
"arn:aws:sqs:*:{AwsAccount}:CloudStorageSecRetroQueue-{appId}*"
],
"Effect": "Allow",
"Sid": "SQS"
},
{
"Action": [
"elasticfilesystem:CreateTags",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:ModifyMountTargetSecurityGroups"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:file-system/*"
],
"Effect": "Allow",
"Sid": "EFSActions"
},
{
"Action": [
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeAccessPoints"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:file-system/*",
"arn:aws:elasticfilesystem:*:*:access-point/*"
],
"Effect": "Allow",
"Sid": "EFSAccessPointsActions"
},
{
"Action": [
"ecr:ListImages"
],
"Resource": [
"arn:aws:ecr:{Aws-region}:564477214187:repository/cloudstoragesecurity/*"
],
"Effect": "Allow",
"Sid": "ECR"
},
{
"Action": [
"bedrock:InvokeModel",
"bedrock:GetFoundationModel",
"bedrock:ListFoundationModels"
],
"Resource": "arn:aws:bedrock:*::foundation-model/*",
"Effect": "Allow",
"Sid": "Bedrock"
}
]
}
```
EC2-Management-Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSecExtraLargeFileScanning": "ExtraLargeFileScanning"
}
},
"Action": [
"ec2:DeleteVolume",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:*",
"Effect": "Allow",
"Sid": "DeleteLargeFileScanningVolumes"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-i401ajc": "Snapshot"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSnapshot"
},
{
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSnapshotForAnyVolume"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/CloudStorageSec-{appId}": "Snapshot"
}
},
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": [
"arn:aws:ec2:*::snapshot/*"
],
"Effect": "Allow",
"Sid": "EC2DeleteSnapshot"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "Volume"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2VolumeCreate"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSec-{appId}": "Volume"
}
},
"Action": [
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Effect": "Allow",
"Sid": "EC2VolumeDelete"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroupRule"
}
},
"Action": [
"ec2:CreateTags",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:{awsAccount}:security-group-rule/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupRule"
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*",
"arn:aws:ec2:*:*:{awsAccount}:network-interface/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupRuleIngress"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "SecurityGroup"
}
},
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroup"
},
{
"Action": [
"ec2:CreateTags",
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:vpc/*"
],
"Effect": "Allow",
"Sid": "EC2CreateSecurityGroupVPC"
},
{
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:security-group/*",
"arn:aws:ec2:*:*:{awsAccount}:subnet/*",
"arn:aws:ec2:*::image/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstanceInfrastructure"
},
{
"Condition": {
"StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": "EC2Instance"
}
},
"Action": [
"ec2:RunInstances",
"ec2:CreateTags",
"iam:PassRole",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:instance/*",
"arn:aws:ec2:*:*:{awsAccount}:network-interface/*",
"arn:aws:ec2:*:*:{awsAccount}:volume/*"
],
"Effect": "Allow",
"Sid": "EC2RunInstance"
},
{
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CloudStorageSec-{appId}": "EC2Instance"
}
},
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:{awsAccount}:instance/*"
],
"Effect": "Allow",
"Sid": "EC2TerminateInstance"
}
]
}
```
Infrastructure-Management-Policy
```json
/{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:{Aws-Region}:*:stack/{CloudFormationStack-name}/*"
],
"Effect": "Allow",
"Sid": "CloudFormation"
},
{
"Action": [
"ecs:TagResource",
"ecs:ListTagsForResource",
"ecs:UntagResource",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DescribeClusters",
"ecs:ListContainerInstances",
"ecs:CreateService",
"ecs:DeleteService",
"ecs:DescribeServices",
"ecs:UpdateService",
"ecs:ListTasks",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:*:{AwsAccount}:cluster/CloudStorageSecCluster-{appId}",
"arn:aws:ecs:*:{AwsAccount}:service/CloudStorageSecCluster-{appId}/*",
"arn:aws:ecs:*:{AwsAccount}:container-instance/CloudStorageSecCluster-{appId}/*",
"arn:aws:ecs:*:{AwsAccount}:task/CloudStorageSecCluster-{appId}/*"
],
"Effect": "Allow",
"Sid": "ECSCluster"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:RequestTag/CloudStorageSec-{appId}": [
"TaskDefinition",
"ConsoleTaskDefinition"
]
}
},
"Action": [
"ecs:TagResource",
"ecs:RegisterTaskDefinition"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ECSRegisterTask"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:ResourceTag/CloudStorageSec-{appId}": [
"TaskDefinition",
"ConsoleTaskDefinition"
]
}
},
"Action": [
"ecs:TagResource",
"ecs:ListTagsForResource",
"ecs:UntagResource",
"ecs:RunTask",
"ecs:DeleteTaskDefinitions"
],
"Resource": "arn:aws:ecs:*:{Aws-Account}:task-definition/CloudStorageSec*-{appId}:*",
"Effect": "Allow",
"Sid": "ECSRunDeleteTask"
},
{
"Condition": {
"StringEquals": {
"application-autoscaling:scalable-dimension": "ecs:service:DesiredCount"
}
},
"Action": [
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget"
],
"Resource": [
"arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
],
"Effect": "Allow",
"Sid": "ApplicationAutoscaling"
},
{
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "CloudStorageSec-{appId}"
}
},
"Action": [
"application-autoscaling:TagResource",
"application-autoscaling:UntagResource"
],
"Resource": [
"arn:aws:application-autoscaling:*:{Aws-Account}:scalable-target/*"
],
"Effect": "Allow",
"Sid": "ApplicationAutoscalingTagging"
},
{
"Action": [
"appconfig:DeleteConfigurationProfile",
"appconfig:GetLatestConfiguration",
"appconfig:ListConfigurationProfiles",
"appconfig:StartDeployment",
"appconfig:StartConfigurationSession",
"appconfig:TagResource",
"appconfig:UpdateApplication",
"appconfig:UpdateConfigurationProfile",
"appconfig:UpdateDeploymentStrategy",
"appconfig:UpdateEnvironment",
"appconfig:UntagResource"
],
"Resource": [
"arn:aws:appconfig:*:{Aws-Account}:application/{appId}/*",
"arn:aws:appconfig:*:{Aws-Account}:application/{appId}",
"arn:aws:appconfig:*:{Aws-Account}:deploymentstrategy/ob3q2x1"
],
"Effect": "Allow",
"Sid": "AppConfig"
},
{
"Action": [
"ssm:AddTagsToResource",
"ssm:ListTagsForResource",
"ssm:RemoveTagsFromResource",
"ssm:CreateDocument",
"ssm:DeleteDocument",
"ssm:DescribeDocument",
"ssm:DescribeDocumentParameters",
"ssm:DescribeDocumentPermission",
"ssm:ModifyDocumentPermission",
"ssm:GetDocument",
"ssm:ListDocuments",
"ssm:UpdateDocument",
"ssm:UpdateDocumentDefaultVersion",
"ssm:UpdateDocumentMetadata",
"ssm:DeleteParameter",
"ssm:DeleteParameters",
"ssm:DescribeParameters",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:LabelParameterVersion",
"ssm:PutParameter",
"ssm:UnlabelParameterVersion",
"secretsmanager:CreateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
"secretsmanager:RestoreSecret",
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:ssm:*:{AwsAccount}:parameter/aws/service/ecs/optimized-ami/amazon-linux*/recommended/image_id",
"arn:aws:ssm:*:{AwsAccount}:document/*{appId}",
"arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}/*",
"arn:aws:ssm:*:{AwsAccount}:parameter/*{appId}",
"arn:aws:ssm:*::parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id",
"arn:aws:secretsmanager:{Aws-Region}:*:secret:cloudstoragesec/*"
],
"Effect": "Allow",
"Sid": "SSMActions"
},
{
"Action": [
"events:CreateEventBus",
"events:DeleteEventBus",
"events:DeleteRule",
"events:DescribeEventBus",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTagsForResource",
"events:PutPermission",
"events:PutRule",
"events:PutTargets",
"events:RemovePermission",
"events:RemoveTargets",
"events:TagResource",
"events:UntagResource",
"events:UpdateEventBus"
],
"Resource": [
"arn:aws:events:*:*:*/*{appId}*",
"arn:aws:events:*:*:*/default",
"arn:aws:events:*:*:rule/*"
],
"Effect": "Allow",
"Sid": "EventBridgeActions"
}
]
}
```
Logging-And-Monitoring-Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:GetLogEvents",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*:log-stream:*",
"Effect": "Allow",
"Sid": "CloudWatchLogStream"
},
{
"Action": [
"logs:ListTagsForResource",
"logs:TagResource",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup",
"logs:UntagLogGroup",
"logs:UntagResource"
],
"Resource": [
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.*"
],
"Effect": "Allow",
"Sid": "CloudWatchLog"
},
{
"Action": [
"logs:StartQuery",
"logs:GetQueryResults"
],
"Resource": [
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.Jobs:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanStatistics:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationStatistics:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.SystemEvents:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ScanResults:*",
"arn:aws:logs:*:{AwsAccount}:log-group:CloudStorageSecurity.Agent.ClassificationResults:*"
],
"Effect": "Allow",
"Sid": "CloudWatchLogQuery"
},
{
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm"
],
"Resource": [
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecLargeQueue-DC-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecSmallQueue-DC-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:CloudStorageSecConsole-HealthCheck-Alarm-{appId}",
"arn:aws:cloudwatch:*:{AwsAccount}:alarm:TargetTracking-service/CloudStorageSecCluster-{appId}/CloudStorageSecApiAgentService-{appId}*"
],
"Effect": "Allow",
"Sid": "CloudWatchAlarm"
},
{
"Action": [
"securityhub:GetFindings",
"securityhub:DisableImportFindingsForProduct",
"securityhub:BatchImportFindings",
"securityhub:EnableImportFindingsForProduct"
],
"Resource": [
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product/cloud-storage-security/antivirus-for-amazon-s3",
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:product-subscription/cloud-storage-security/antivirus-for-amazon-s3",
"arn:aws:securityhub:{AwsRegion}:{AwsAccount}:hub/default"
],
"Effect": "Allow",
"Sid": "SecurityHubActions"
},
{
"Condition": {
"StringEquals": {
"cloudwatch:Namespace": "AWS/ECS"
}
},
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Effect": "Allow",
"Sid": "PutECSMetricData"
},
{
"Action": [
"sns:Subscribe",
"sns:AddPermission",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:GetSubscriptionAttributes",
"sns:SetSubscriptionAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Publish",
"sns:TagResource",
"sns:UnTagResource"
],
"Resource": [
"arn:aws:sns:*:{AwsAccount}:CloudStorageSecNotificationsTopic-{appId}",
"arn:aws:sns:*:{AwsAccount}:CloudStorageSecTopic-{appId}"
],
"Effect": "Allow",
"Sid": "SNS"
},
{
"Action": [
"servicequotas:GetServiceQuota"
],
"Resource": [
"arn:aws:servicequotas:*:{AwsAccount}:ebs/L-D18FCD1D",
"arn:aws:servicequotas:*:{AwsAccount}:ebs/L-7A658B76"
],
"Effect": "Allow",
"Sid": "ServiceQuotas"
},
{
"Action": [
"budgets:ViewBudget",
"budgets:ModifyBudget"
],
"Resource": [
"arn:aws:budgets::{AwsAccount}:budget/Cloud Storage Security Application Cost Budget - Application {appId}"
],
"Effect": "Allow",
"Sid": "Budgets"
}
]
}
```
Security-And-Access-Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cognito-idp:AdminGetUser",
"cognito-idp:AdminCreateUser",
"cognito-idp:AdminAddUserToGroup",
"cognito-idp:AdminDeleteUser",
"cognito-idp:AdminDeleteUserAttributes",
"cognito-idp:AdminDisableUser",
"cognito-idp:AdminEnableUser",
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:AdminListGroupsForUser",
"cognito-idp:AdminUpdateUserAttributes",
"cognito-idp:ListTagsForResource",
"cognito-idp:ListUsers",
"cognito-idp:ListUsersInGroup",
"cognito-idp:CreateGroup",
"cognito-idp:DeleteGroup",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPool",
"cognito-idp:UpdateUserPool",
"cognito-idp:ListIdentityProviders",
"cognito-idp:SetUserPoolMfaConfig"
],
"Resource": [
"arn:aws:cognito-idp:{AwsRegion}:{AwsAccount}:userpool/{UserPool-Id}"
],
"Effect": "Allow",
"Sid": "Cognito"
},
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagInstanceProfile",
"iam:UntagInstanceProfile",
"iam:UpdateAssumeRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PassRole",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": [
"arn:aws:iam::*:role/CloudStorageSecUserPoolRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/AppConfigAgentConfigurationDocumentRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecExecutionRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecConsoleRole-{appId}",
"arn:aws:iam::{AwsAccount}:role/CloudStorageSecAgentRole-{appId}",
"arn:aws:iam::*:role/CloudStorageSecEc2ContainerRole-{appId}",
"arn:aws:iam::*:instance-profile/CloudStorageSecEc2ContainerRole-{appId}",
"arn:aws:iam::*:role/CloudStorageSecEventBridgeRole-{appId}"
],
"Effect": "Allow",
"Sid": "IAMAction"
},
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/*{appId}",
"Effect": "Allow",
"Sid": "CrossAccountAssumeRole"
},
{
"Condition": {
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
}
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:*:{AwsAccount}:key/*",
"Effect": "Allow",
"Sid": "KmsConsole"
},
{
"Action": [
"application-autoscaling:DescribeScalableTargets",
"aws-marketplace:MeterUsage",
"acm:DescribeCertificate",
"acm:RequestCertificate",
"cloudformation:GetTemplateSummary",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeTags",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeSnapshots",
"ecs:DescribeTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:ListTaskDefinitions",
"fsx:DescribeFileSystems",
"fsx:DescribeVolumes",
"fsx:DescribeStorageVirtualMachines",
"logs:DescribeLogGroups",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:Unsubscribe",
"sqs:ListQueues"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "ReadOnlyGlobal"
},
{
"Action": [
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectTagging",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow",
"Sid": "S3ReadOnly"
},
{
"Action": [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketPublicAccessBlock",
"s3:PutInventoryConfiguration"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow",
"Sid": "S3Write"
}
]
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://help.cloudstoragesec.com/how-it-works/logging-and-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.