widdix/aws-s3-virusscan widdix/aws-s3-virusscan

  • This repository has been archived on 02/Oct/2023
  • Stars
    star
    525
  • Rank 84,404 (Top 2 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 8 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
widdix/aws-s3-virusscan
github

widdix

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Antivirus for Amazon S3

Antivirus for Amazon S3

This template creates a malware scanner cluster for S3 buckets. Connect as many S3 buckets as you like.

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

Features

  • Uses ClamAV to scan newly added files on S3 buckets
  • Updates ClamAV database every 3 hours automatically
  • Scales EC2 instance workers to distribute the workload
  • Publishes a message to SNS in case of a finding
  • Can optionally delete compromised files automatically
  • Logs to CloudWatch Logs

Additional Commercial Features by bucketAV

  • Reporting capabilities
  • Dashboard
  • Scan buckets at regular intervals / initial bucket scan
  • Quarantine infected files
  • Enhanced security features (e.g., IMDSv2)
  • Regular Security updates
  • Multi-Account support
  • AWS Integrations:
    • CloudWatch Integration (Metrics and Dashboard)
    • Security Hub Integration
    • SSM OpsCenter Integration
  • S3 -> SNS fan-out support
  • Support

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

How does it work

A picture is worth a thousand words:

Architecture

  1. A SQS queue is used to decouple scan jobs from the ClamAV workers. Each S3 bucket can fire events to that SQS queue in case of new objects. This feature of S3 is called S3 Event Notifications.
  2. The SQS queue is consumed by a fleet of EC2 instances running in an Auto Scaling Group. If the number of outstanding scan jobs reaches a threshold a new ClamAV worker is automatically added. If the queue is mostly empty workers are removed.
  3. The ClamAV workers run a simple ruby script that executes the clamscan command. In the background the virus db is updated every three hours.
  4. If clamscan finds a virus the file is directly deleted (you can configure that) and a SNS notification is published.

Installation

Create the CloudFormation Stack

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Configure the buckets

Configure the buckets you want to connect to as shown in the next figure:

Configure Event Notifications 1

Configure Event Notifications 2

Make sure you select the -ScanQueue- NOT the -ScanQueueDLQ-!

Configure E-Mail subscription

If you like to receive emails if a virus was found you must subscribe to the SNS topic as shown in the next two figures:

Subscribe Topic: Step 1

Subscribe Topic: Step 2

You will receive a confirmation email.

bucketAV - Antivirus for Amazon S3 with additional features is available at AWS Marketplace.

Troubleshooting

  1. Go to CloudWatch Logs in the AWS Management Console
  2. Click on the log group of the s3-virusscan
  3. Click on the blue Search Log Group button
  4. Search for "s3-virusscan["

Known issues / limitations

  • It was reported that the solution does not run on a t2.micro or smaller. Use at least a t2.small instance.
  • An initial scan may also be useful but is not performed at the moment. This could be implemented with a Lambda function that pushes every key to SQS.

More Repositories

1

aws-cf-templates

Free Templates for AWS CloudFormation
Java
2,749
star
2

aws-ec2-ssh

Manage AWS EC2 SSH access with IAM
Java
830
star
3

complete-aws-iam-reference

Complete AWS IAM Reference
HTML
319
star
4

learn-cloudformation

Learn how to use Infrastructure as Code on AWS with the help of CloudFormation.
227
star
5

mastodon-on-aws

Host your own Mastodon instance on AWS
134
star
6

aws-lambda-youtube-dl

Download YouTube (and a few other sites) videos to S3 using Lambda.
JavaScript
84
star
7

sqs-lambda-example

Example: SQS with Lambda
JavaScript
80
star
8

aws-mfacli

Multi-Factor Authentication (MFA) with Role Delegation for AWS CLI
Shell
63
star
9

aws-velocity

AWS Velocity
JavaScript
58
star
10

cfn-create-or-update

Create or update CloudFormation stack also if no updates are to be performed.
JavaScript
56
star
11

ec2-network-benchmark

Shell
55
star
12

aws-cf-templates-cli

widdix, a CLI tool to manage Free Templates for AWS CloudFormation
JavaScript
47
star
13

aws-cf-checker

Checks AWS CloudFormation templates for security, reliability and conformity
JavaScript
42
star
14

aws-amicleaner

To clean up your AWS AMIs: First, include AMIs by name or tag. Second, exclude AMIs in use, younger than N days, or the newest N images. Third, manually confirm the list of AMIs for deletion.
JavaScript
33
star
15

cloudwatch-alarm-to-slack

Send CloudWatch Alarms to Slack with AWS Lambda
JavaScript
31
star
16

aws-tag-watch

This lambda function checks if your EC2 instances all have a specific tag in near real-time.
JavaScript
30
star
17

aws-step-functions-example

AWS Step Functions Example
27
star
18

learn-iam-policy

Labs helping you to learn how write IAM policies following the least privilege principle.
20
star
19

s3-getobject-accelerator

Get large objects from S3 by using parallel byte-rangefetches/parts to improve performance.
JavaScript
17
star
20

aws-cf-jail

AWS CloudFormation jail
JavaScript
15
star
21

learn-terraform

Shell
14
star
22

learn-security-fundamentals

AWS Security Fundamentals
HTML
11
star
23

parameter-store-cloudformation-codepipeline

Configure your CloudFormation managed infrastructure with Parameter Store and CodePipeline
11
star
24

node-route53-updater

Updating a Route53 resource set with meta-data of EC2 instance
JavaScript
10
star
25

cloudwatch-alarm-to-microsoft-teams

Send CloudWatch alarms to a Microsoft Teams channel
JavaScript
9
star
26

lambda-dynamodb-elasticache

JavaScript
9
star
27

s3-at-rest-encryption

S3 At Rest Encryption (using Client Side Encryption)
JavaScript
9
star
28

learn-network-security

Network Security on AWS
8
star
29

aws-snapshot-cleanup

AWS Snapshot Cleanup
JavaScript
7
star
30

learn-codepipeline

Labs helping you to get started with CodePipeline and CodeBuild.
JavaScript
7
star
31

learn-fargate

Labs helping you to learn AWS Fargate within a few hours.
Shell
7
star
32

aws-cutting-edge-appsync

JavaScript
4
star
33

aws-cutting-edge-fargate

PHP
4
star
34

learn-codebuild

Labs helping you to learn AWS CodeBuild within an hour.
CSS
3
star
35

learn-appsync

Labs helping you to get started with AWS AppSync
JavaScript
3
star
36

aws-community-days-2018-ffm

JavaScript
2
star
37

learn-api-gateway

JavaScript
2
star
38

static-website-img-optimize

Static Website: Image optimization for https://templates.cloudonaut.io/en/stable/static-website/
JavaScript
2
star
39

node-ssm-updater

JavaScript
2
star
40

serverless-hello-world

JavaScript
1
star
41

learn-docker

HTML
1
star
42

cfn-modules

Easy-going CloudFormation: Modular, production ready, open source.
1
star
43

bucketav-developer-examples

bucketAV developer examples
JavaScript
1
star
44

container-hello-world

Dockerfile
1
star
45

attachmentav-wordpress

Protect your blog from viruses, trojans, and other kinds of malware. The plugin sends all uploads to the attachmentAV API to scan for malware with Sophos and blocks infected files.
PHP
1
star