How to secure AWS S3 objects from malware virus (Antivirus Scan)

But what about the files we upload the S3 bucket from your various application by known and unknown users. So in such case, how we can have antivirus available for our S3 bucket which scan any new object uploaded to S3 and confirm, is the file is infected with virus or its clean.

By doing this, we have multiple paid solutions available in market which we can take as subscription and it will scan S3 bucket objects for us. Below are some of subscription based available solutions you can opt for:

• https://bucketav.com/help/setup-guide/ 
• https://aws.amazon.com/marketplace/pp/prodview-q7oc4shdnpc4w 
• https://cloudstoragesec.com/aws
• https://cloudmersive.com/aws-s3-anti-virus-scanning 

But as I said, these are subscription based, that means it will charge you extra cost other than AWS service utilization like lambda function execution cost created by above solution.

So what about building your own solution and have this available without any extra cost. Yes, this is possible, I found one AWS article, where we can deploy our own solution using AWS CDK.

• AWS reference article: https://aws.amazon.com/blogs/developer/virus-scan-s3-buckets-with-a-serverless-clamav-based-cdk-construct/  

But while I was working with this article, there was multiple blocker for me and I was getting stuck to proceed ahead but finally I was able to successfully setup this from my S3 bucket. So I thought to share all those tips or extra work/steps which you have to follow while working as per this article. Please refer below:

• Make sure you have AWS CDK installed on your local system to work with article. Use PowerShell to run below commands.

npm install -g aws-cdk      or     npm i aws-cdk

• After installation, run below command to verify, it has been successfully installed:

cdk --version

• While running above command, in case if you get error like "'cdk' term not recoganized", then add path to system environment variable. In general, path of the installed CDK location you will find at : (C:\Users\<user>\node_modules\aws-cdk\bin)

• Make sure respective CDK programming package installed, like as per this article, we need Javascript package.

npm install aws-cdk-lib

• Make sure, you have installed bootstrap for CDK, this is because every CDK resource use/put some assets.

cdk bootstrap aws://<AWS-ACCOUNT-NUMBER>/<AWS-REGION>

Note: This actually create one cloud formation stack and using with it create required resources.

• Make sure on your local system docker desktop is installed and running, this is because, with the above article, lambda function get deployed to AWS as container image.
• AWS profile is configured on your local system to run CDK command and have required permissions to use CDK and other dependent services.
• Now follow all the steps mentioned in article to deploy s3 bucket scan solution.

Note:

This also create one cloud formation template stack and using with it will create multiple IAM roles, S3 buckets, Lambda function, SQA, one VPC and VPC endpoint.

The cloud formation template run as per template defined with your app created on your local system, you could find the same at project locaiton i.e. "CdkTest\cdk.out\CdkTestStack.template.json".

• On successful completion of all steps given in article, you will be able to test the file upload (infected one or correct file) inside the bucket it created for your test and provided part of output on your PowerShell deploy script.
• So here what happen, when you upload file, there is object create event configured on this bucket, which trigger and call one of lambda function to scan the new file/object we uploaded and it create one tag name as "scan-status = INPROGRESS" and once lambda function execution completed, then it update the same tag value to "CLEAN" if the uploaded file is correct and if the file having some kind of virus to it then, value updated as "INFECTED".
• And there is also bucket policy exits which restrict downloading file, if tag "scan-status" value is any of "IN PROGRESS" or "INFECTED" or "ERROR".

• So this you can verify from AWS console by try downloading file which is infected and you will get access denied error.

Now, the above solution work fine for the test s3 bucket created by above solution itself, so now if we want to apply this with any other existing bucket, then for that we have to:

• Go that existing/new bucket and create new event for all object create and trigger same lambda function as per above test S3 bucket event.
• Update bucket policy similar to above test S3 bucket but make sure you replace/change your bucket into policy while you copy and paste.
• Update IAM role permissions which applied to "Lambda function" you configured as S3 event trigger to allow your new/existing buckets or you can allow resource to all (*).

• Update VPC endpoint policy (created by above CDK deploy solution) to allow your new/existing buckets or you can allow resource to all (*).

• After above changes, now you would be able to use that existing/new s3 bucket for virus scan.