Table of contents

Scan existing files in the 'S3 bucket to scan'

If you have existing files in your S3 bucket to scan, those files will not be scanned. To scan them, you'll have to copy them back into the same bucket by selecting Actions > Copy in S3. The copy will trigger a scan on each file.

Full scan and scheduled scan

It deploys all the required resources to trigger a full scan, scheduled or not, on a S3 bucket leveraging an existing Trend Micro File Storage Security deployment.

To add this function, see Full scan and scheduled scan

Scan before reading the file (Scan on getObject request)

This feature is part of a controlled release and is in Preview. Content on this page is subject to change.

File Storage Security supports S3 Object Lambda to scan files when client makes a GET request and blocks it if the file is malicious. Follow How to scan on getObject request to enable this feature.


  • Due to the limitation of S3 Object Lambda, the scanner stack and storage stack must be in the same AWS account and region.

  • By the design of S3 Object Lambda, only requests through the Object Lambda Access Point will be scanned. Requests through the original S3 endpoint or other S3 access point will not be scanned.

  • By the design of S3 Object Lambda, this feature does not honor the ObjectFilterPrefix parameter of storage stacks. If you only want certain objects to be scanned on getObject request, you can use Object Lambda Access Point to only get objects that need to be scanned and use the original S3 endpoint to get other objects that don't need to be scanned.

  • Currently, there is a 200 MB file size limit of this feature. If you want to get objects larger than that, use the original S3 endpoint. Contact support if you need more information on the size limitation.

How to scan on getObject request

  1. Deploy an all-in-one stack or a storage stack in the same account and same region as a scanner stack. Or if you want to use deployed stacks, update the scanner and storage stacks with the latest template.

  2. When deploying or updating the all-in-one or storage stack, specify true for the ScanOnGetObject parameter. Scanner stacks can be deployed or updated without any new parameters.

  3. (Optional) If you are deploying or updating the storage stack in the above steps, you must also specify the ScannerLambdaAliasARN, which you can find in CloudFormation > Stacks > scanner stack > Outputs > ScannerLambdaAliasARN. When deploying or updating an all-in-one stack, you can skip this step because the template will figure it out for you.

  4. After deployment, use the Object Lambda Access Point deployed by File Storage Security to access your objects. Find the Object Lambda Access Point ARN in CloudFormation > Stacks > all-in-one or storage stack > Outputs > ScanOnGetObjectAccessPointARN.

For example, if you previously downloaded an object with the AWS CLI like this:

aws s3api get-object --bucket some-bucket --key some-folder/some-file.txt some-file.txt

Replace it with

aws s3api get-object --bucket ACCESS_POINT_ARN --key some-folder/some-file.txt some-file.txt


ACCESS_POINT_ARN is the ScanOnGetObjectAccessPointARN output value.