This section describes various architecture and configurations options for File Storage
               Security. These are meant to provide you with some options that you can use as a
               springboard for developing your own custom deployment.
Architectural options
All-in-one deployment (Recommended)
This quick deployment model allows you to protect your cloud storage container within
                  5 minutes.
The all-in-one stack deploys both scanner stack and storage stack to each of your
                  cloud storage under the same cloud account and region. The storage stack monitors
                  your cloud storage container and notifies the scanner stack when new files are
                  uploaded. This triggers a new scan for malware.
To start the protection, see:
Centralized scanner
If your security team needs to centralize the scanner stacks to monitor scanner
                  function health in your cloud account, you can choose to deploy a standalone scanner
                  and add storage stacks later on. For more information, see:
To build the scanning system, each region should have at least one scanner stack to
                  improve performance and avoid cross region charges.
Configuration options
Quarantine malicious files
Suitable for:
- Protecting downstream workflow from upstream risks
Adding the quarantine post scan action to each of your cloud storage can protect your
                  downstream workflow from upstream risks.
To set up the quarantine function, the quarantine storage should be under the same
                  cloud account as cross account data transmission needs extra permission settings.
                  You can have multiple or a shared quarantine storage depending on your needs.
Scanning large number of files
Suitable for:
- Handling peak hours
If you expect a large number of scanning requests to File Storage Security all at
                  once, you can configure the Lambda concurrency for AWS and the scale out instance
                  for Azure to improve performance.
For performance testing results, please see AWS
                     performance and scaling and Azure
                     performance and scaling.
Control scanner outbound traffic (AWS only)
Suitable for:
- Company policy about outbound traffic
If your company has restrictions about Lambda outbound traffic, you can set up
                  security control over internet traffic by configuring the VPC
                     parameters in the CloudFormation templates.
Scan with the latest pattern before accessing the file (AWS only)
Suitable for:
- Ensuring every file being accessed is scanned by the latest pattern
To ensure files are scanned with the latest pattern before they leave the storage,
                  you can enable File Storage Security's scan on getObject request to block malicious files from being
                  downloaded.
Permission boundary (AWS only)
Suitable for:
- Company policy to set the maximum permissions that an identity-based policy can grant to an IAM entity
If your company has a policy for setting up permission boundary, when deploying the
                  CloudFormation templates, you can specify the managed policy ARN to limit the
                  maximum number of permissions that the IAM roles created by File Storage Security
                  can have. For more information, please see AWS
                     permissions control.
 
		