Views:

Before you begin

Before making any changes, record the C1FSS event notification details. This is required if you need to roll back to C1FSS.
C1FSS creates an S3 event notification on your scanned bucket to trigger the BucketListenerLambda function whenever a file is uploaded. You will delete this notification in Step 3 — make sure you have noted it down first.
  1. Go to the AWS ConsoleS3your target bucket and click the Properties tab.
  2. Scroll to Event notifications and find the notification created by C1FSS.
  3. Note down the following: Event name, Lambda function ARN (the BucketListenerLambda), and event type (s3:ObjectCreated:*).
  4. Save this information somewhere accessible (for example, a text file or a ticket comment).
You can follow this zero-downtime process to update from Cloud One File Storage Security (C1FSS) to TrendAI Vision One File Security (V1FSS). This method keeps your existing C1FSS stack active and scanning files while you set up and validate V1FSS. However, be aware that enabling the V1FSS quarantine bucket introduces the risk of a race condition.

Applicable Scenarios

Deployment type
Zero-downtime supported?
All-in-One (Storage + Scanner Stack)
Yes
Storage Stack only
Yes

Procedure

  1. Install V1FSS and Enable Bucket Scanning.
    1. In the TrendAI Vision One console, go to Cloud SecurityFile Security and select the AWS tab.
    2. Click Add Account.
    3. Select Deployment Method: CloudFormation, and then choose Single AWS account to onboard.
    4. Fill in the required account name field.
    5. Enable the FSS feature and select the regions where you want to deploy the File Security scanner.
    6. Choose the deployment method and click Launch Stack in your AWS account.
    7. After the stack is created successfully, the cloud account appears in the AWS account list on the Cloud Accounts page.
    8. Check the File Storage inventory page to see the buckets in your account.
      Note
      Note
      It might take some time to sync your storage to TrendAI Vision One FSS.
    9. Enable bucket scanning.
      Note
      Note
      If you wish, you can enable a different bucket from C1FSS to ensure V1FSS scans the files.
  2. Validate that V1FSS is working:
    1. Upload a new file to an S3 bucket.
    2. Check for tags on the new file.
    3. Check the scan activity on the V1FSS scan activity page.
    4. Upload an Eicar file to the S3 bucket.
      #download malware test file and upload to S3 bucket
curl https://secure.eicar.org/eicar.com.txt -o eicar.com.txt && aws s3 cp eicar.com.txt ${source_bucket}
    5. Check the file tags.
    6. Wait for the scan results to sync and the malware detections to be displayed.
      Note
      Note
      A race condition may occur when the V1FSS quarantine bucket is enabled. During concurrent processing, V1FSS may move or quarantine an object while the C1FSS Scanner Lambda is still processing it. As a result, the object may no longer be available when C1FSS attempts to access it, causing expected errors in the C1FSS Scanner Lambda logs. A typical scan-result entry for this condition is shown below:
      scanner result:  {
    "type": "scan-result",
    "timestamp": 1775809199.2133012,
    "sqs_message_id": "4b45f279-efe6-43f2-a45e-9c65f48aea7c",
    "xamz_request_id": "6MWYMP38A9PY313G",
    "bucket": "helen-test-c1fss-migration-bucket",
    "file_name": "test-malware/eicar_20260410_081946_207603_16f161a0.txt",
    "file_attributes": {
        "etag": "44d88612fea8a8f36de82e1278abb02f"
    },
    "file_url": "https://helen-test-c1fss-migration-bucket.s3.us-east-1.amazonaws.com/test-malware/eicar_20260410_081946_207603_16f161a0.txt",
    "scan_start_timestamp": 1775809199.150224,
    "scanner_status": -2,
    "scanner_status_message": "unsuccessful scan",
    "scanning_result": {
        "TotalBytesOfFile": 0,
        "Findings": [],
        "Error": "network errors",
        "Codes": []
    }
}
  3. Remove the C1FSS event notification from the S3 bucket.
    1. In the AWS console, go to S3your target bucketProperties.
    2. Scroll to Event notifications and locate the notification you recorded earlier (the one with the BucketListenerLambda destination).
    3. Select the notification and click Delete.
    4. Type delete to confirm and click Delete.
  4. Remove the old C1FSS storage stack, scanner stack, or all-in-one stack.
    1. In the AWS console, go to CloudFormationStacks.
    2. Select the C1FSS stack to delete (storage stack, scanner stack, or all-in-one stack, depending on your original deployment).
    3. Click Delete, and then confirm the deletion in the dialog that appears.
    4. Wait for the stack status to change to DELETE_COMPLETE.
    5. Repeat for any additional C1FSS stacks in the account.

Rollback for zero-downtime update Parent topic

Procedure

  1. If the Event notifications have been removed during migration, in the AWS console, click Create event notification and follow the C1FSS event notification details information recorded before.