Table of contents

Architectural and configuration setup options

This section describes various architecture and configurations options for File Storage Security. These are meant to provide you with some options that you can use as a springboard for developing your own custom deployment.

Architectural options

All-in-one deployment (Recommended)

This quick deployment model allows you to protect your cloud storage container within 5 minutes.

The all-in-one stack deploys both scanner stack and storage stack to each of your cloud storage under the same cloud account and region. The storage stack monitors your cloud storage container and notifies the scanner stack when new files are uploaded. This triggers a new scan for malware.

To start the protection, see Deploy all-in-one-stack.

Centralized scanner

If your security team needs to centralize the scanner stacks to monitor scanner function health in your cloud account, you can choose to deploy a standalone scanner and adds storage stacks later on. 

To build the scanning system, each region should have at least one scanner stack to improve performance and avoid cross region charges.

Configuration options

Quarantine malicious files

Suitable for:

  • Protecting downstream workflow from upstream risks

Adding the quarantine post scan action to each of your cloud storage can protect your downstream workflow from upstream risks.

To set up the quarantine function, the quarantine storage should be under the same cloud account as cross account data transmission needs extra permission settings. You can have multiple or a shared quarantine storage depending on your needs.

Scanning large number of files

Suitable for:

  • Handling peak hours

If you expect a large number of scanning requests to File Storage Security all at once, you can configure the Lambda concurrency for AWS and the scale out instance for Azure to improve performance.

For performance testing results, please see AWS performance and scaling and Azure performance and scaling.

Control scanner outbound traffic (AWS only)

Suitable for:

  • Company policy about outbound traffic

If your company has restrictions about Lambda outbound traffic, you can set up security control over internet traffic by configuring the VPC parameters in the CloudFormation templates.

Scan with the latest pattern before accessing the file (AWS only)

Suitable for:

  • Ensuring every file being accessed is scanned by the latest pattern

To ensure files are scanned with the latest pattern before they leave the storage, you can enable File Storage Security's scan on getObject request to block malicious files from being downloaded.

Permission boundary (AWS only)

Suitable for:

  • Company policy to set the maximum permissions that an identity-based policy can grant to an IAM entity

If your company has a policy for setting up permission boundary, when deploying the CloudFormation templates, you can specify the managed policy ARN to limit the maximum number of permissions that the IAM roles created by File Storage Security can have. For more information, please see AWS permissions control.