Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Object Tagging
  • Document Flows
  • Standard Document Flow
  • 2 Bucket (Two Bucket) System Document Flow
  1. How It Works
  2. Scanning Overview

Event Driven Scanning for New Files

PreviousScanning OverviewNextRetro Scanning for Pre-Existing Files

Last updated 4 months ago

Event driven scanning is where an event, in this case the All object create event, is leveraged on the bucket so any time an object is created/modified within the bucket an event is raised. Antivirus for Amazon S3 places and event destination / handler onto the protected buckets which listen for these events to trigger scanning. This allows Antivirus for Amazon S3 to easily plugin to any existing workflow you have without modifications.

So this looks as follows:

  1. An object is added to a protected bucket

  2. An event is raised and sent to an SNS Topic

  3. The Antivirus for Amazon S3 provides an SQS Queue which subscribes to the Topic

  4. One or more Antivirus for Amazon S3 Agents are monitoring the queue

  5. Entries are pulled from the queue identifying the object to scan. The object is retrieved and scanned

  6. Objects are handled according to the you have set a. All objects are tagged b. Infected files are moved to a quarantine bucket (default behavior)

This flow and behavior is irrespective of region. Amazon S3 buckets have a global view, but are regionally placed. This flow will be performed local to each region you enable buckets for scanning.

Object Tagging

After a file has been scanned we will tag the object in the S3 bucket. These tags are how our solution recognizes whether we've previously scanned the file. If an object is tagged and is copied to another protected bucket, our solution will skip over scanning the object.

Here are examples of object tags based on scan results:

Document Flows

Standard Document Flow

When a bucket is protected and event listener (SNS Topic) is added to the bucket. This will send S3 Events to the topic which in turn populates an SQS Queue. From there, everything is scanned in near real-time.

  1. Users or apps upload objects to an S3 bucket protected by our solution.

  2. The S3 bucket has an event listener which pushes a notification to Amazon SNS. SNS pushes a message to an Amazon SQS Queue.

  3. Our Event Agent monitors this queue for objects and will copy the object into itself, performing a scan of the object.

  4. The Event Agent will tag the object with its verdict.

  5. The Event Agent will send scan results to Amazon CloudWatch.

  6. The Event Agent will send problematic scan results to the Console service for surfacing.

  7. (If Proactive Notifications are configured) The Event Agent will forward scan results to Amazon SNS.

  8. (Optional) The Event Agent will move infected files into a Quarantine S3 Bucket

2 Bucket (Two Bucket) System Document Flow

The Two Bucket System (2 Bucket System) allows a customer to physically separate the incoming files from the downstream users of the "production buckets". The separation lasts as long as it takes to scan the files and ensure they are clean. In this way, you can ensure nothing other than clean files makes it into your production buckets and therefore are safe to be consumed.

We have 2 options for a 2 bucket flow: Console approach and Lambda Approach.

The Console approach can be configured in the Console and moves files tagged as Clean to a designated destination bucket. This option is straightforward but cannot be tweaked for additional configurations.

Some customers opt to put a Lambda function into place for more granular control over objects. Moving multiple types of files or moving files to more than one bucket are common use cases for those who opt to utilize a Lambda instead of our console-managed two bucket functionality.

  1. Users or apps upload objects to an S3 bucket protected by our solution.

  2. The S3 bucket has an event listener which pushes a notification to Amazon SNS. SNS pushes a message to an Amazon SQS Queue.

  3. Our Event Agent monitors this queue for objects and will copy the object into itself, performing a scan of the object.

  4. The Event Agent will tag the object with its verdict.

  5. The Event Agent will send scan results to Amazon CloudWatch.

  6. The Event Agent will send problematic scan results to the Console service for surfacing.

  7. If the Event Agent deems an object as Clean, it will move that object from the staging S3 bucket into the destination S3 bucket.

  8. (If Proactive Notifications are configured) The Event Agent will forward scan results to Amazon SNS.

  9. (Optional) The Event Agent will move infected files into a Quarantine S3 Bucket.

  1. Users or apps upload objects to an S3 bucket protected by our solution.

  2. The S3 bucket has an event listener which pushes a notification to Amazon SNS. SNS pushes a message to an Amazon SQS Queue.

  3. Our Event Agent monitors this queue for objects and will copy the object into itself, performing a scan of the object.

  4. The Event Agent will tag the object with its verdict.

  5. The Event Agent will send scan results to Amazon CloudWatch.

  6. The Event Agent will send problematic scan results to the Console service for surfacing.

  7. SNS Can be configured to notify Lambda for Clean objects.

  8. The Lambda function can then perform an S3 mv from source to destination buckets.

  9. (If Proactive Notifications are configured) The Event Agent will forward scan results to Amazon SNS.

  10. (Optional) The Event Agent will move infected files into a Quarantine S3 Bucket.

For guided steps on how to setup the 2 Bucket System

Scan Settings
go here
Clean Object
Infected Object
Unscannable Object
Error Object
Standard Document Flow
2 Bucket Console Flow
2 Bucket Lambda Flow