Skip to content

Latest commit

 

History

History
162 lines (114 loc) · 3.94 KB

File metadata and controls

162 lines (114 loc) · 3.94 KB

attachmentAV Integration Example

This directory contains an example CDK stack demonstrating how to deploy the AttachmentAVBucketScan construct.

Prerequisites

  1. AWS Account: You need an AWS account with appropriate permissions
  2. AWS CLI: Configured with your credentials (aws configure)
  3. attachmentAV API Key: Sign up at attachmentav.com to get an API key
  4. Node.js: Installed and working
  5. CDK Bootstrap: Your AWS account must be bootstrapped for CDK

Setup

1. Install Dependencies

From the repository root:

npm install
npm run build

2. Store Your API Key

Store your attachmentAV API key in SSM Parameter Store:

aws ssm put-parameter \
  --name "/attachmentav/api-key" \
  --value "YOUR_ATTACHMENTAV_API_KEY_HERE" \
  --type "SecureString" \
  --description "attachmentAV API key for malware scanning"

3. Bootstrap CDK (if not already done)

npx cdk bootstrap

Deployment

From the integration directory:

Synthesize the CloudFormation template

cd integration
npx cdk synth

Deploy the stack

npx cdk deploy

This will:

  • Create an S3 bucket with versioning enabled
  • Create scanner and callback Lambda functions
  • Set up S3 event notifications to trigger scans
  • Create an IAM user for generating presigned URLs
  • Configure all necessary permissions

View the stack outputs

After deployment, CDK will output the bucket name. You can also view outputs with:

npx cdk deploy --outputs-file outputs.json

Testing

Upload a test file

aws s3 cp test-file.txt s3://BUCKET_NAME/test-file.txt

Replace BUCKET_NAME with the bucket name from the stack outputs.

Check CloudWatch Logs

View scanner Lambda logs:

aws logs tail /aws/lambda/AttachmentAVExampleStack-AttachmentAVScannerScannerFunction* --follow

View callback Lambda logs:

aws logs tail /aws/lambda/AttachmentAVExampleStack-AttachmentAVScannerCallbackFunction* --follow

Check S3 object tags (if enabled)

aws s3api get-object-tagging \
  --bucket BUCKET_NAME \
  --key test-file.txt

Customization

Edit stacks/example-stack.ts to customize:

  • Trigger strategy: Change to TriggerStrategy.EVENTBRIDGE for EventBridge-based triggers
  • File filtering: Add s3KeyPrefix or s3KeySuffix to scan only specific files
  • Tagging: Set tagObjectWithScanResult: false to disable tagging
  • Auto-delete: Set deleteInfectedObject: true to automatically delete infected files
  • API endpoint: Add apiUrl to use a different attachmentAV region

Cleanup

To delete all resources:

npx cdk destroy

This will remove:

  • The S3 bucket (and all objects due to autoDeleteObjects: true)
  • All Lambda functions
  • The IAM user and access keys
  • SSM parameters created by the construct
  • All other AWS resources created by the stack

Note: The API key SSM parameter (/attachmentav/api-key) must be deleted manually:

aws ssm delete-parameter --name "/attachmentav/api-key"

Useful CDK Commands

  • npx cdk diff - Compare deployed stack with current state
  • npx cdk ls - List all stacks in the app
  • npx cdk synth - Synthesize CloudFormation template
  • npx cdk deploy - Deploy the stack
  • npx cdk destroy - Delete the stack
  • npx cdk doctor - Check CDK setup

Troubleshooting

Error: API key parameter not found

Make sure you created the SSM parameter as described in step 2 of Setup.

Error: Access Denied

Ensure your AWS credentials have sufficient permissions to create:

  • S3 buckets
  • Lambda functions
  • IAM roles and users
  • SSM parameters
  • EventBridge rules (if using EventBridge trigger)

Files not being scanned

  1. Check CloudWatch Logs for errors
  2. Verify S3 event notifications are configured: aws s3api get-bucket-notification-configuration --bucket BUCKET_NAME
  3. Ensure the file matches any prefix/suffix filters you configured