S3 VirusScan AWS Security

Antivirus for S3 buckets: widdix/aws-s3-virusscan. As soon as a new file is added to your bucket the file is scanned.

The S3 VirusScan with additional integrations is available in the AWS Marketplace.

Features

Uses ClamAV to scan newly added files on S3 buckets

Updates ClamAV database every 3 hours automatically

Scales EC2 instance workers to distribute workload

Publishes a message to SNS in case of a finding

Can optionally delete compromised files automatically

Logs to CloudWatch Logs

Commercial Features

CloudWatch Integration (Metrics and Dashboard)

Security Hub Integration

SSM OpsCenter Integration

The S3 VirusScan with additional integrations is available in the AWS Marketplace.

How does it work

A picture is worth a thousand words:

S3 VirusScan uses a SQS queue to decouple scan jobs from the ClamAV workers. Each S3 bucket can fire events to that SQS queue in case of new objects. This feature of S3 is called S3 Event Notifications. The SQS queue is consumed by a fleet of EC2 instances running in an Auto Scaling Group. If the number of outstanding scan jobs reaches a treshold a new ClamAV worker is automatically added. If the queue is mostly empty workers are removed. The ClamAV workers run a simple ruby script that executes the clamscan command. In the background the virus database is updated every three hours. If clamscan finds a virus the file is directly deleted (you can configure that) and a SNS notification is published.

Installation

Create the CloudFormation Stack

This templates depends on our vpc-*azs.yaml template. The scanners will will use 2 AZs only. Click Next to proceed with the next step of the wizard. Specify a name and all parameters for the stack. Click Next to proceed with the next step of the wizard. Click Next to skip the Options step of the wizard. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox. Click Create to start the creation of the stack. Wait until the stack reaches the state CREATE_COMPLETE

Configure S3 buckets

Configure the S3 buckets you want to connect to S3 VirusScan as shown in the next figure:

Make sure you select the -ScanQueue- NOT the -ScanQueueDLQ-!

Configure Emails

If you like to receive emails if a virus was found you must subscribe to the SNS topic as sown in the next two figures:

You will receive a confirmation email.

Test

Create a EICAR Standard Anti-Virus Test File with the following content:

X5O ! P %@ AP [ 4 \ PZX54 ( P ^) 7CC ) 7 }$ EICAR - STANDARD - ANTIVIRUS - TEST - FILE !$ H + H *



and upload that file to your S3 bucket.

Support needed?

Do you need help? Mail to hello@widdix.de.