Topics on this page
Architectural and configuration setup options
This section describes various architecture and configurations options for File Storage Security. These are meant to provide you with some options that you can use as a springboard for developing your own custom deployment.
All-in-one deployment (Recommended)
This quick deployment model allows you to protect your cloud storage container within 5 minutes.
The all-in-one stack deploys both scanner stack and storage stack to each of your cloud storage under the same cloud account and region. The storage stack monitors your cloud storage container and notifies the scanner stack when new files are uploaded. This triggers a new scan for malware.
To start the protection, see Deploy all-in-one-stack.
If your security team needs to centralize the scanner stacks to monitor scanner function health in your cloud account, you can choose to deploy a standalone scanner and adds storage stacks later on.
To build the scanning system, each region should have at least one scanner stack to improve performance and avoid cross region charges.
Quarantine malicious files
- Protecting downstream workflow from upstream risks
Adding the quarantine post scan action to each of your cloud storage can protect your downstream workflow from upstream risks.
To set up the quarantine function, the quarantine storage should be under the same cloud account as cross account data transmission needs extra permission settings. You can have multiple or a shared quarantine storage depending on your needs.
Scanning large number of files
- Handling peak hours
If you expect a large number of scanning requests to File Storage Security all at once, you can configure the Lambda concurrency for AWS and the scale out instance for Azure to improve performance.
Control scanner outbound traffic (AWS only)
- Company policy about outbound traffic
If your company has restrictions about Lambda outbound traffic, you can set up security control over internet traffic by configuring the VPC parameters in the CloudFormation templates.
Scan with the latest pattern before accessing the file (AWS only)
- Ensuring every file being accessed is scanned by the latest pattern
To ensure files are scanned with the latest pattern before they leave the storage, you can enable File Storage Security's scan on getObject request to block malicious files from being downloaded.
Permission boundary (AWS only)
- Company policy to set the maximum permissions that an identity-based policy can grant to an IAM entity
If your company has a policy for setting up permission boundary, when deploying the CloudFormation templates, you can specify the managed policy ARN to limit the maximum number of permissions that the IAM roles created by File Storage Security can have. For more information, please see AWS permissions control.