File Storage Security supports S3 Object Lambda to scan files when client makes GET request and blocks it if the file is malicious. Follow How to scan on getObject request to enable this feature.

Prerequisite Parent topic

  • Due to the limitation of S3 Object Lambda, the scanner stack and storage stack must be in the same AWS account and region.
  • By the design of S3 Object Lambda, only requests through the Object Lambda Access Point will be scanned. Requests through the original S3 endpoint or other S3 access point will not be scanned.
  • By the design of S3 Object Lambda, this feature does not honor the ObjectFilterPrefix parameter of storage stacks. If you only want certain objects to be scanned on getObject request, you can use Object Lambda Access Point to only get objects that need to be scanned and use the original S3 endpoint to get other objects that don't need to be scanned.
  • Currently, there is a 200 MB file size limit of this feature. If you want to get objects larger than that, use the original S3 endpoint. Contact support if you need more information on the size limitation.

How to scan on getObject request Parent topic

Procedure

  1. Deploy an all-in-one stack or a storage stack in the same account and same region as a scanner stack. Or if you want to use deployed stacks, update the scanner and storage stacks with the latest template.
  2. When deploying or updating the all-in-one or storage stack, specify true for the ScanOnGetObject parameter. Scanner stacks can be deployed or updated without any new parameters.
  3. (Optional) If you are deploying or updating the storage stack in the above steps, you must also specify ScannerLambdaAliasARN, which you can find in CloudFormation Stacks > scanner stack > Outputs ScannerLambdaAliasARN. When deploying or updating an all-in-one stack, you can skip this step because the template will figure it out for you.
  4. After deployment, use the Object Lambda Access Point deployed by File Storage Security to access your objects. Find the Object Lambda Access Point ARN in CloudFormation Stacks > all-in-one or storage stack > Outputs ScanOnGetObjectAccessPointARN.
    For example, if you previously downloaded an object with the AWS CLI like this:
    aws s3api get-object --bucket some-bucket --key some-folder/some-file.txt some-file.txt
    Replace it with
    aws s3api get-object --bucket ACCESS_POINT_ARN --key some-folder/some-file.txt some-file.txt
    where...
    ACCESS_POINT_ARN is the ScanOnGetObjectAccessPointARN output value.