Views:
When setting up your CloudFormation template, you have the option of setting the destination of the scanned files, depending on the results of the scan. If you do not set the parameters, the scanned files remain in their original location with metatags indicating their scan result.
File Security Storage supports four types of destination buckets:
  • QuarantineBucket: Specifies the bucket where files identified as malicious will be quarantined. When a file is detected as malware or contains threats, File Security Storage will move it to this bucket for isolation and further investigation.
    CleanBucket: Specifies the bucket where files that pass security scanning will be moved. Clean files are those verified to be free of malware and other security threats.
    FailureBucket: Specifies the bucket where files that cannot be scanned will be moved. This includes files that encounter scanning errors, exceed size limits, are corrupted, or have unsupported formats.
    FileSecurityStorageUseSourceBucketAsFolder: Default is true. When true, each source bucket becomes a folder in the destination - report.pdf from source bucket sales appears under sales/ as sales/report.pdf, keeping files from different source buckets separated. When false, all files are written to the destination root with their original keys; files with the same name from different source buckets will overwrite each other.
When configuring your account’s CloudFormation template, you can define regional or global destination buckets, and optionally specify a custom destination configuration for individual buckets.
If a custom destination bucket is defined, it takes priority over regional or global buckets. Buckets without a custom destination will send files to the regional or global destination bucket, depending on your configuration.
Use the following script, in the FileSecurityStorageQuarantineBucket, FileSecurityStorageCleanBucket, or FileSecurityStorageFailureBucket:
{
  "custom": {
      "<to-scan-src-bucket-1>": {
          "destRegion": "us-east-1",
          "destBucket": "<destination-bucket-1-name>"
      },
  },
  "us-east-1": "<regional-bucket-name>",
  "global": "<global-bucket-name>"
}
In the above example, note that in the "custom" key as the field, even though the <to-scan-src-bucket-1> is located at us-east-1, it sends files to "<destination-bucket-1-name>" instead of the regional bucket "<regional-bucket-name>". Buckets which are not specified move their files to their regional or global bucket settings.