This section describes various architecture and configurations options for File Storage
Security. These are meant to provide you with some options that you can use as a
springboard for developing your own custom deployment.
Architectural options
All-in-one deployment (Recommended)
This quick deployment model allows you to protect your cloud storage container within
5 minutes.
The all-in-one stack deploys both scanner stack and storage stack to each of your
cloud storage under the same cloud account and region. The storage stack monitors
your cloud storage container and notifies the scanner stack when new files are
uploaded. This triggers a new scan for malware.
To start the protection, see:
Centralized scanner
If your security team needs to centralize the scanner stacks to monitor scanner
function health in your cloud account, you can choose to deploy a standalone scanner
and add storage stacks later on. For more information, see:
To build the scanning system, each region should have at least one scanner stack to
improve performance and avoid cross region charges.
Configuration options
Quarantine malicious files
Suitable for:
- Protecting downstream workflow from upstream risks
Adding the quarantine post scan action to each of your cloud storage can protect your
downstream workflow from upstream risks.
To set up the quarantine function, the quarantine storage should be under the same
cloud account as cross account data transmission needs extra permission settings.
You can have multiple or a shared quarantine storage depending on your needs.
Scanning large number of files
Suitable for:
- Handling peak hours
If you expect a large number of scanning requests to File Storage Security all at
once, you can configure the Lambda concurrency for AWS and the scale out instance
for Azure to improve performance.
For performance testing results, please see AWS
performance and scaling and Azure
performance and scaling.
Control scanner outbound traffic (AWS only)
Suitable for:
- Company policy about outbound traffic
If your company has restrictions about Lambda outbound traffic, you can set up
security control over internet traffic by configuring the VPC
parameters in the CloudFormation templates.
Scan with the latest pattern before accessing the file (AWS only)
Suitable for:
- Ensuring every file being accessed is scanned by the latest pattern
To ensure files are scanned with the latest pattern before they leave the storage,
you can enable File Storage Security's scan on getObject request to block malicious files from being
downloaded.
Permission boundary (AWS only)
Suitable for:
- Company policy to set the maximum permissions that an identity-based policy can grant to an IAM entity
If your company has a policy for setting up permission boundary, when deploying the
CloudFormation templates, you can specify the managed policy ARN to limit the
maximum number of permissions that the IAM roles created by File Storage Security
can have. For more information, please see AWS
permissions control.