This feature is part of a controlled release and is in Preview. Content on this page is subject to change.
Scan on getObject request
- Due to the limitation of S3 Object Lambda, the scanner stack and storage stack must be in the same AWS account and region.
- By the design of S3 Object Lambda, only requests through the
Object Lambda Access Pointwill be scanned. Requests through the original S3 endpoint or other S3 access point will not be scanned.
- By the design of S3 Object Lambda, this feature does not honor the ObjectFilterPrefix parameter of storage stacks.
If you only want certain objects to be scanned on getObject request, you can use
Object Lambda Access Pointto only get objects that need to be scanned and use the original S3 endpoint to get other objects that don't need to be scanned.
- Currently, there is a 200 MB file size limit of this feature. If you want to get objects larger than that, use the original S3 endpoint. Contact support if you need more information on the size limitation.
How to scan on getObject request
- Deploy an all-in-one stack or a storage stack in the same account and same region as a scanner stack. Or if you want to use deployed stacks, update the scanner and storage stacks with the latest template.
- When deploying or updating the all-in-one or storage stack, specify true for the
ScanOnGetObjectparameter. Scanner stacks can be deployed or updated without any new parameters.
- (Optional) If you are deploying or updating the storage stack in the above steps, you must also specify
ScannerLambdaAliasARN, which you can find in CloudFormation > Stacks > scanner stack > Outputs > ScannerLambdaAliasARN. When deploying or updating an all-in-one stack, you can skip this step because the template will figure it out for you.
After deployment, use the Object Lambda Access Point deployed by File Storage Security to access your objects. Find the Object Lambda Access Point ARN in CloudFormation > Stacks > all-in-one or storage stack > Outputs > ScanOnGetObjectAccessPointARN.
For example, if you previously downloaded an object with the AWS CLI like this:
aws s3api get-object --bucket some-bucket --key some-folder/some-file.txt some-file.txt
Replace it with
aws s3api get-object --bucket ACCESS_POINT_ARN --key some-folder/some-file.txt some-file.txt
ACCESS_POINT_ARNis the ScanOnGetObjectAccessPointARN output value.