Automated Malware and Virus Scanning for Amazon S3 Buckets powered by AWS CDK: A Complete Guide

In today’s cloud-native landscape, companies regularly receive files from external sources like customer uploads, partner data exchanges, API integrations, and third-party systems. These files often land in Amazon S3 buckets, making them a critical entry point into your infrastructure. Without proper malware scanning and virus detection, a single infected file can compromise your entire system, leading to data breaches, ransomware attacks, or regulatory compliance violations.

The challenge is clear: How do you automatically scan every file uploaded to your S3 buckets for viruses and malware without impacting performance or breaking the bank?

Traditional antivirus solutions designed for on-premises servers don’t translate well to serverless cloud architectures. You need a solution that scans files automatically when they’re uploaded to S3 and provides real-time results for monitoring and compliance.

The Solution: Event-Driven Malware Scanning with attachmentAV API

The answer lies in combining AWS Lambda, S3 event notifications (or EventBridge events), and a specialized malware scanning API. This approach creates an automated, serverless antivirus solution that scans every file the moment it’s uploaded to your S3 bucket.

attachmentAV is such a cloud-based virus and malware scanning API designed specifically for modern cloud applications. By integrating attachmentAV with AWS services, you can build a production-ready malware scanner that:

1. Triggers automatically when files are uploaded to S3
2. Scans asynchronously using the attachmentAV API
3. Tags objects with scan results for downstream processing
4. Logs results to CloudWatch for monitoring and compliance
5. Optionally deletes infected files automatically

Architecture Overview

The solution follows a serverless, event-driven architecture:

┌──────────┐      ┌──────────────┐      ┌───────────────┐
│ S3       │─────▶│ Scanner      │─────▶│ attachmentAV  │
│ Bucket   │      │ Lambda       │      │ API           │
└──────────┘      └──────────────┘      └───────────────┘
      ▲                  │                      │
      │                  │                      │
      │                  ▼                      │
      │          ┌──────────────┐               │
      │          │ SSM          │               │
      │          │ Parameter    │               │
      │          │ Store        │               │
      │          └──────────────┘               │
      ─────────────────────────────────────     │
                                          │     ▼
                 ┌──────────────┐      ┌───────────────┐
                 │ CloudWatch   │◀─────│ Callback      │
                 │ Logs         │      │ Lambda        │
                 └──────────────┘      └───────────────┘

How it works:

1. A file is uploaded to your S3 bucket
2. S3 triggers a Lambda function via event notification
3. The Scanner Lambda generates a presigned URL and calls the attachmentAV API
4. The API scans the file asynchronously for viruses and malware
5. When scanning completes, attachmentAV calls back your Callback Lambda
6. The Callback Lambda tags the S3 object and logs the result to CloudWatch

Implementing S3 Malware Scanning with AWS CDK

To make implementation straightforward, we’ve created a CDK construct that encapsulates all the necessary infrastructure. Let’s walk through how to deploy this antivirus solution in your AWS environment.

Prerequisites

Before you begin, you’ll need:

1. An attachmentAV API key: Sign up at attachmentav.com to obtain your API key
2. AWS CDK installed: If you’re new to CDK, check out the AWS CDK documentation
3. Node.js and npm: Required for CDK deployment

Step 1: Store Your API Key Securely

First, store your attachmentAV API key in AWS Systems Manager Parameter Store as a SecureString:

aws ssm put-parameter \
  --name "/attachmentav/api-key" \
  --value "your-api-key-here" \
  --type "SecureString" \
  --description "attachmentAV API key for malware scanning"

This ensures your API credentials are encrypted at rest and never appear in your code.

Step 2: Basic Implementation

Here’s the minimal code needed to add malware scanning to an S3 bucket:

import * as cdk from 'aws-cdk-lib';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { AttachmentAVBucketScan } from './lib'; // copy/paste the files from https://github.com/widdix/attachmentav-example-aws-cdk-serverless-amazon-s3-virus-malware-scan/tree/main/lib to your ./lib folder

const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

// Create or reference an S3 bucket
const bucket = new s3.Bucket(stack, 'MyBucket', {
  versioned: true,
  encryption: s3.BucketEncryption.S3_MANAGED,
});

// Add attachmentAV scanning
new AttachmentAVBucketScan(stack, 'AttachmentAVScanner', {
  bucket: bucket,
  apiKeyParameterName: '/attachmentav/api-key',
});

That’s it! With just a few lines of code, every file uploaded to your S3 bucket will be automatically scanned for viruses and malware.

Step 3: Advanced Configuration Options

The CDK construct supports various configuration options to customize the antivirus scanning behavior. Here’s an example showing all available options:

import { AttachmentAVBucketScan, TriggerStrategy } from "./lib";

new AttachmentAVBucketScan(stack, 'AttachmentAVScanner', {
  bucket: bucket,
  apiKeyParameterName: '/attachmentav/api-key',

  // Optional: Automatically delete infected files
  deleteInfectedObject: true,

  // Optional: Only scan files in specific folders
  s3KeyPrefix: 'uploads/',

  // Optional: Only scan specific file types
  s3KeySuffix: '.pdf',

  // Optional: Use EventBridge instead of S3 event notifications
  triggerStrategy: TriggerStrategy.EVENTBRIDGE,

  // Optional: Disable object tagging
  tagObjectWithScanResult: false,

  // Optional: Custom API endpoint (e.g., for different regions)
  apiUrl: 'https://us.developer.attachmentav.com',

  // Optional: Tenant ID for callback verification
  tenantId: 'abc123',
});

You can use any combination of these options based on your requirements. For a complete list of configuration options and detailed explanations, see the Configuration section in the README.

Monitoring and Scan Results

After each file is scanned, the Callback Lambda logs structured JSON to CloudWatch with details including the bucket name, object key, scan status (clean, infected, or no), file type, and scan timing. This provides a complete audit trail for compliance and security monitoring.

You can use CloudWatch Logs Insights to query scan results, find infected files, generate statistics, and track malware detection trends over time. For detailed information about scan result formats and example CloudWatch Logs Insights queries, see the Monitoring section in the README.

Cost Considerations

The serverless architecture ensures you only pay for what you use:

• attachmentAV API: Monthly subscription, see attachmentAV pricing
• AWS Lambda: Pay per invocation and execution duration
• AWS SSM Parameter Store: Free for standard parameters
• CloudWatch Logs: Pay for log storage and ingestion
• S3: Standard S3 pricing applies

For most workloads, the cost per scanned file is minimal, making this an affordable antivirus solution even at scale.

Real-World Use Cases

This S3 malware scanning solution is ideal for:

1. User File Uploads: Scan profile pictures, documents, and attachments uploaded by end users
2. API Integrations: Validate files received from third-party APIs before processing
3. Data Lake Ingestion: Ensure data lake integrity by scanning all incoming files
4. Compliance Requirements: Meet regulatory requirements for malware scanning (HIPAA, PCI-DSS, etc.)
5. Partner Data Exchange: Scan files received from business partners or vendors
6. Backup Validation: Verify backup files aren’t infected before restoration

Getting Started

Ready to implement automated virus scanning for your S3 buckets? Here’s how to get started:

1. Get the code: Clone or copy the CDK construct from the GitHub repository
2. Sign up for attachmentAV: Get your API key at attachmentav.com
3. Deploy the stack: Follow the implementation guide above
4. Test it out: Upload a file to your S3 bucket and watch the scan results in CloudWatch

The repository includes:

• Complete CDK construct source code
• Working examples and integration tests
• CloudFormation templates for non-CDK deployments
• Detailed documentation and configuration options

Conclusion

Protecting your AWS infrastructure from malware and viruses doesn’t have to be complicated. By combining S3 event notifications, AWS Lambda, and the attachmentAV API, you can build a production-ready, serverless antivirus solution in minutes.

The CDK construct handles all the complexity—IAM roles, Lambda functions, event triggers, secure credential storage, and callback handling—so you can focus on your application logic instead of infrastructure plumbing.

Whether you’re building a SaaS application with user file uploads, processing data from external partners, or meeting compliance requirements for malware scanning, this solution provides the security, scalability, and reliability you need.

Additional Resources

• GitHub Repository: attachmentav-example-cdk-serverless-amazon-s3-virus-malware-scan
• attachmentAV Website: attachmentav.com
• attachmentAV API Documentation: API Developer Guide
• Subscribe to attachmentAV API: Get Your API Key

Start protecting your S3 buckets from viruses and malware today!