Event Driven Scanning for New Files

Event driven scanning is where an event, in this case the All object create event, is leveraged on the bucket so any time an object is created/modified within the bucket an event is raised. Antivirus for Amazon S3 places and event destination / handler onto the protected buckets which listen for these events to trigger scanning. This allows Antivirus for Amazon S3 to easily plugin to any existing workflow you have without modifications.

So this looks as follows:

  1. An object is added to a protected bucket

  2. An event is raised and sent to an SNS Topic

  3. The Antivirus for Amazon S3 provides an SQS Queue which subscribes to the Topic

  4. One or more Antivirus for Amazon S3 Agents are monitoring the queue

  5. Entries are pulled from the queue identifying the object to scan. The object is retrieved and scanned

  6. Objects are handled according to the Scan Settings you have set a. All objects are tagged b. Infected files are moved to a quarantine bucket (default behavior)

This flow and behavior is irrespective of region. Amazon S3 buckets have a global view, but are regionally placed. This flow will be performed local to each region you enable buckets for scanning.

Object Tagging

After a file has been scanned we will tag the object in the S3 bucket. These tags are how our solution recognizes whether we've previously scanned the file. If an object is tagged and is copied to another protected bucket, our solution will skip over scanning the object.

Here are examples of object tags based on scan results:

Clean Object

Document Flows

Standard Document Flow

When a bucket is protected and event listener (SNS Topic) is added to the bucket. This will send S3 Events to the topic which in turn populates an SQS Queue. From there, everything is scanned in near real-time.

Standard Document Flow

2 Bucket (Two Bucket) System Document Flow

The Two Bucket System (2 Bucket System) allows a customer to physically separate the incoming files from the downstream users of the "production buckets". The separation lasts as long as it takes to scan the files and ensure they are clean. In this way, you can ensure nothing other than clean files makes it into your production buckets and therefore are safe to be consumed. For guided steps on how to setup the 2 Bucket System go here

Last updated