Skip to content

Latest commit

 

History

History
 
 

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

README.md

attachmentAV Integration Example

This directory contains an example CDK stack demonstrating how to deploy the AttachmentAVBucketScan construct.

Prerequisites

  1. AWS Account: You need an AWS account with appropriate permissions
  2. AWS CLI: Configured with your credentials (aws configure)
  3. attachmentAV API Key: Sign up at attachmentav.com to get an API key
  4. Node.js: Installed and working
  5. CDK Bootstrap: Your AWS account must be bootstrapped for CDK

Setup

1. Install Dependencies

From the repository root:

npm install
npm run build

2. Store Your API Key

Store your attachmentAV API key in SSM Parameter Store:

aws ssm put-parameter \
  --name "/attachmentav/api-key" \
  --value "YOUR_ATTACHMENTAV_API_KEY_HERE" \
  --type "SecureString" \
  --description "attachmentAV API key for malware scanning"

3. Bootstrap CDK (if not already done)

npx cdk bootstrap

Deployment

From the integration directory:

Synthesize the CloudFormation template

cd integration
npx cdk synth

Deploy the stack

npx cdk deploy

This will:

  • Create an S3 bucket with versioning enabled
  • Create scanner and callback Lambda functions
  • Set up S3 event notifications to trigger scans
  • Create an IAM user for generating presigned URLs
  • Configure all necessary permissions

View the stack outputs

After deployment, CDK will output the bucket name. You can also view outputs with:

npx cdk deploy --outputs-file outputs.json

Testing

Upload a test file

aws s3 cp test-file.txt s3://BUCKET_NAME/test-file.txt

Replace BUCKET_NAME with the bucket name from the stack outputs.

Check CloudWatch Logs

View scanner Lambda logs:

aws logs tail /aws/lambda/AttachmentAVExampleStack-AttachmentAVScannerScannerFunction* --follow

View callback Lambda logs:

aws logs tail /aws/lambda/AttachmentAVExampleStack-AttachmentAVScannerCallbackFunction* --follow

Check S3 object tags (if enabled)

aws s3api get-object-tagging \
  --bucket BUCKET_NAME \
  --key test-file.txt

Customization

Edit stacks/example-stack.ts to customize:

  • Trigger strategy: Change to TriggerStrategy.EVENTBRIDGE for EventBridge-based triggers
  • File filtering: Add s3KeyPrefix or s3KeySuffix to scan only specific files
  • Tagging: Set tagObjectWithScanResult: false to disable tagging
  • Auto-delete: Set deleteInfectedObject: true to automatically delete infected files
  • API endpoint: Add apiUrl to use a different attachmentAV region

Cleanup

To delete all resources:

npx cdk destroy

This will remove:

  • The S3 bucket (and all objects due to autoDeleteObjects: true)
  • All Lambda functions
  • The IAM user and access keys
  • SSM parameters created by the construct
  • All other AWS resources created by the stack

Note: The API key SSM parameter (/attachmentav/api-key) must be deleted manually:

aws ssm delete-parameter --name "/attachmentav/api-key"

Useful CDK Commands

  • npx cdk diff - Compare deployed stack with current state
  • npx cdk ls - List all stacks in the app
  • npx cdk synth - Synthesize CloudFormation template
  • npx cdk deploy - Deploy the stack
  • npx cdk destroy - Delete the stack
  • npx cdk doctor - Check CDK setup

Troubleshooting

Error: API key parameter not found

Make sure you created the SSM parameter as described in step 2 of Setup.

Error: Access Denied

Ensure your AWS credentials have sufficient permissions to create:

  • S3 buckets
  • Lambda functions
  • IAM roles and users
  • SSM parameters
  • EventBridge rules (if using EventBridge trigger)

Files not being scanned

  1. Check CloudWatch Logs for errors
  2. Verify S3 event notifications are configured: aws s3api get-bucket-notification-configuration --bucket BUCKET_NAME
  3. Ensure the file matches any prefix/suffix filters you configured