Skip to content

cfn

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

cfn

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
build.sh
build.sh
 
 
template.yaml
template.yaml
 
 

README.md

CloudFormation Deployment

This directory contains the CloudFormation template for the AttachmentAV Bucket Scan solution. It uses the same architecture like the CDK construct and also takes the Lambda function's code from there.

Prerequisites

  • AWS CLI configured with appropriate credentials
  • AttachmentAV API key stored in AWS Systems Manager Parameter Store

Quick Start

Deploy the stack directly using the AWS CLI:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name bucket-scan-cfn \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides ApiKeyParameterName=/attachmentav/api-key

CloudFormation Parameters

Required Parameters

Parameter Description
ApiKeyParameterName SSM Parameter name containing the AttachmentAV API key

Optional Parameters

Parameter Default Description
TriggerStrategy S3_EVENT Trigger strategy: S3_EVENT or EVENTBRIDGE
TagObjectWithScanResult true Tag objects with scan results: true or false
DeleteInfectedObject false Delete infected objects: true or false
S3KeyPrefix (empty) S3 key prefix filter for triggering scans
S3KeySuffix (empty) S3 key suffix filter for triggering scans
ApiUrl https://eu.developer.attachmentav.com AttachmentAV API base URL
TenantId (empty) AttachmentAV tenant ID for callback verification

Usage Examples

Basic Deployment

Deploy with minimal settings:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name bucket-scan-cfn \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides ApiKeyParameterName=/attachmentav/api-key

Custom Stack Name

Deploy with a custom stack name:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name prod-malware-scanner \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides ApiKeyParameterName=/attachmentav/api-key

Scan Only PDFs in Uploads Directory

Configure the scanner to only process PDF files in the uploads/ directory:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name bucket-scan-cfn \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    ApiKeyParameterName=/attachmentav/api-key \
    S3KeyPrefix=uploads/ \
    S3KeySuffix=.pdf

Delete Infected Files Automatically

Enable automatic deletion of infected files:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name bucket-scan-cfn \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    ApiKeyParameterName=/attachmentav/api-key \
    DeleteInfectedObject=true

Use EventBridge Trigger Strategy

Deploy with EventBridge instead of S3 Event notifications:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name bucket-scan-cfn \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    ApiKeyParameterName=/attachmentav/api-key \
    TriggerStrategy=EVENTBRIDGE

Full Configuration Example

Deploy with all options configured:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name prod-scan \
  --capabilities CAPABILITY_IAM \
  --parameter-overrides \
    ApiKeyParameterName=/attachmentav/api-key \
    TriggerStrategy=S3_EVENT \
    TagObjectWithScanResult=true \
    DeleteInfectedObject=false \
    S3KeyPrefix=documents/ \
    S3KeySuffix=.pdf \
    ApiUrl=https://us.developer.attachmentav.com \
    TenantId=your-tenant-id

Development: Building the Template

Note: The build.sh script is only used during the development process of this repository to update the template.yaml file with the latest Lambda function code as inline code.

Prerequisites for Building

  • Node.js and npm installed
  • esbuild installed globally or in the project (npm install -g esbuild)

Build Script

The build.sh script:

  1. Compiles TypeScript Lambda functions from ../lib/ using esbuild
  2. Inlines the bundled JavaScript code directly into template.yaml using CloudFormation's ZipFile syntax
  3. Updates the template in place (can be run multiple times)

To rebuild the template with updated Lambda code:

./build.sh

This is typically only needed when:

  • Lambda function source code in ../lib/ has been modified
  • You're maintaining or contributing to this repository

Stack Outputs

After successful deployment, the stack provides important outputs:

  • BucketName: Name of the S3 bucket being monitored
  • ScannerFunctionArn: ARN of the scanner Lambda function
  • CallbackFunctionArn: ARN of the callback Lambda function
  • TriggerStrategy: The trigger strategy being used

View stack outputs:

aws cloudformation describe-stacks \
  --stack-name bucket-scan-cfn \
  --query 'Stacks[0].Outputs' \
  --output table

Trigger Strategies

S3_EVENT (Default)

  • Uses native S3 event notifications
  • Lower latency
  • Directly invokes Lambda function
  • Recommended for most use cases

EVENTBRIDGE

  • Routes S3 events through Amazon EventBridge
  • More flexible for complex event routing
  • Allows additional event consumers
  • Slightly higher latency

Troubleshooting

API Key Parameter Not Found

Ensure the SSM parameter exists:

aws ssm get-parameter --name /attachmentav/api-key --with-decryption

Permission Errors

The CloudFormation stack requires CAPABILITY_IAM because it creates IAM roles. Ensure your AWS credentials have sufficient permissions to create IAM resources.