API (self-hosted on AWS): Configuration

attachmentAV API is configured via AWS CloudFormation.

View configuration parameters (#)

To view the current configuration:

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the attachmentAV stack (if you followed the docs, the name is attachmentav).
  5. Click on the Parameters tab.

Now, you can see the configuration parameters.

Change configuration parameters (#)

To change the configuration parameters of attachmentAV:

  1. Visit the AWS CloudFormation Console.
  2. Ensure that you are in the correct region.
  3. Navigate to Stacks.
  4. Click on the attachmentAV stack (if you followed the docs, the name is attachmentav).
  5. At the top right, click on Update.
  6. In the next step, just click Next.
  7. Now, you can change the configuration parameters.
  8. Click Next.
  9. In the next step, just click Next.
  10. At the bottom, check “I acknowledge that AWS CloudFormation might create IAM resources.” and click Submit.

It can take several minutes for an update to finish!

List of all configuration parameters (#)

ParameterDescriptionDefaultAllowed valuesFulfillment options
Admin (#)
InfrastructureAlarmsEmail (#)Optional but strongly recommended email address receiving infrastructure alarms (for more than one email address, please subscribe to the Infrastructure Alarms SNS topic after stack creation).dedicated-public-vpc, shared-vpc
API (#)
AccessLogsBucketName (#)Optional bucket name to store access logs (leave empty to disable; bucket polic must allow access for log delivery as described here https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy).dedicated-public-vpc, shared-vpc
AccessLogsPrefix (#)Optional access logs prefix.dedicated-public-vpc, shared-vpc
ApiIdleTimeoutInSeconds (#)Maximum number of seconds an API request waits for the scan result. Also determines the maximum number of seconds a request is processed on the server and that a file download (from S3 or download URL) can take.60Must be >= 15 and <= 4000dedicated-public-vpc, shared-vpc
ApiIngressCidrIp (#)Ingress rule allows HTTP(S) access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32).Must be a valid IP CIDR range of the form x.x.x.x/x.dedicated-public-vpc, shared-vpc
ApiKeys (#)API keys for authenticating client requests using Bearer Authentication. Separate API keys with a comma (e.g., key1,key2).dedicated-public-vpc, shared-vpc
ApiMaxDownloadFileSizeInBytes (#)Maximum number of bytes that can be downloaded when using the endpoint POST /api/v1/scan/sync/download.5368709120Must be >= 0dedicated-public-vpc, shared-vpc
ApiMaxS3FileSizeInBytes (#)Maximum number of bytes that can be downloaded from S3 when using the endpoint POST /api/v1/scan/sync/s3.5368709120Must be >= 0dedicated-public-vpc, shared-vpc
ApiMaxUploadFileSizeInBytes (#)Maximum number of bytes that can be uploaded when using the endpoint POST /api/v1/scan/sync/binary or POST /api/v1/scan/sync/form.209715200Must be >= 0dedicated-public-vpc, shared-vpc
EndpointType (#)Do you want the API to be reachable via Internet (HTTPS) or internal (HTTP) within the VPC only?One of PUBLIC, INTERNALdedicated-public-vpc, shared-vpc
Auto Scaling Group (#)
AutoScalingMaxSize (#)Maximum number of EC2 instances scanning files.2Must be >= 2dedicated-public-vpc, shared-vpc
AutoScalingMinSize (#)Minimum number of EC2 instances scanning files.2Must be >= 2dedicated-public-vpc, shared-vpc
DNS (#)
CertificateArn (#)ACM public certificate ARN (required if DnsConfiguration:=MANUAL).dedicated-public-vpc, shared-vpc
DnsConfiguration (#)Do you want to configure Route 53 and the Certificate Manager public certificate automatically or do you prefer a manual approach?AUTO_ROUTE_53One of AUTO_ROUTE_53, MANUALdedicated-public-vpc, shared-vpc
DomainName (#)Domain name added to Route 53 public hosted zone and Certificate Manager public certificate (required if DnsConfiguration:=AUTO_ROUTE_53).dedicated-public-vpc, shared-vpc
HostedZoneId (#)Route 53 public hosted zone ID (required if DnsConfiguration:=AUTO_ROUTE_53).dedicated-public-vpc, shared-vpc
EC2 (#)
InstanceType (#)Specifies the instance type of the EC2 instancem5.largeOne of t3a.nano, t3a.micro, t3a.small, t3a.medium, t3a.large, t3a.xlarge, t3a.2xlarge, t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, m5a.large, m5a.xlarge, m5a.2xlarge, m5a.4xlarge, m5a.8xlarge, m5a.12xlarge, m5a.16xlarge, m5a.24xlarge, m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, m5.8xlarge, m5.12xlarge, m5.16xlarge, m5.24xlarge, m6i.large, m6i.xlarge, m6i.2xlarge, m6i.4xlarge, m6i.8xlarge, m6i.12xlarge, m6i.16xlarge, m6i.24xlarge, m6i.32xlarge, m6a.large, m6a.xlarge, m6a.2xlarge, m6a.4xlarge, m6a.8xlarge, m6a.12xlarge, m6a.16xlarge, m6a.24xlarge, m6a.32xlarge, m6a.48xlarge, m7i.large, m7i.xlarge, m7i.2xlarge, m7i.4xlarge, m7i.8xlarge, m7i.12xlarge, m7i.16xlarge, m7i.24xlarge, m7i.48xlarge, m7a.medium, m7a.large, m7a.xlarge, m7a.2xlarge, m7a.4xlarge, m7a.8xlarge, m7a.12xlarge, m7a.16xlarge, m7a.24xlarge, m7a.32xlarge, m7a.48xlarge, c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, c5.12xlarge, c5.18xlarge, c5.24xlarge, c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge, c5a.8xlarge, c5a.12xlarge, c5a.16xlarge, c5a.24xlarge, c6i.large, c6i.xlarge, c6i.2xlarge, c6i.4xlarge, c6i.8xlarge, c6i.12xlarge, c6i.16xlarge, c6i.24xlarge, c6i.32xlarge, c6a.large, c6a.xlarge, c6a.2xlarge, c6a.4xlarge, c6a.8xlarge, c6a.12xlarge, c6a.16xlarge, c6a.24xlarge, c6a.32xlarge, c6a.48xlarge, c7i.large, c7i.xlarge, c7i.2xlarge, c7i.4xlarge, c7i.8xlarge, c7i.12xlarge, c7i.16xlarge, c7i.24xlarge, c7i.48xlarge, c7a.medium, c7a.large, c7a.xlarge, c7a.2xlarge, c7a.4xlarge, c7a.8xlarge, c7a.12xlarge, c7a.16xlarge, c7a.24xlarge, c7a.32xlarge, c7a.48xlarge, m5zn.large, m5zn.xlarge, m5zn.2xlarge, m5zn.3xlarge, m5zn.6xlarge, m5zn.12xlargededicated-public-vpc, shared-vpc
KeyName (#)Name of the EC2 key pair to log in via SSH (username: ec2-user).Must be a valid EC2 key pair namededicated-public-vpc, shared-vpc
LogsRetentionInDays (#)Specifies the number of days you want to retain log events.14One of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653dedicated-public-vpc, shared-vpc
Subnets (#)Subnets used for scanners.Valid subnet IDsshared-vpc
SystemsManagerAccess (#)Enable AWS Systems Manager Session Manager to connect to the EC2 instances. To fully enable SSM, add arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore to the ManagedPolicyArns configuration parameter as well.falseOne of true, falsededicated-public-vpc, shared-vpc
VolumeIops (#)The provisioned I/O operations per second (IOPS).30003000-16000dedicated-public-vpc, shared-vpc
VolumeSize (#)The size of the EBS volume, in gibibytes (GiB). You can only scan files that are smaller than VolumeSize-16. Max S3 file size 5120 GiB.3232-5136dedicated-public-vpc, shared-vpc
VolumeThroughput (#)The provisioned throughput per second in MiB.125125-1000dedicated-public-vpc, shared-vpc
VPC (#)EC2 instances that scan the files are launched into this VPC.Valid VPC IDshared-vpc
Lambda (#)
AutoScalingGroupCalculatorFunctionReservedConcurrentExecutions (#)Maximum number of execution environment instances for the Lambda function (set to 0 to disable; Check out the CloudWatch metric ConcurrentExecutions to get the maximum concurrent invocations of the past).0Must be >= 0dedicated-public-vpc, shared-vpc
LambdaSubnets (#)Optionally configure Lambda functions to run in theses subnets, requires route to NAT Gateway or VPC Endpoints.shared-vpc
Permissions (#)
KMSKeyRestriction (#)Restrict access to specific KMS keys (e.g. arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab,arn:aws:kms:us-east-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321 or * to allow access to all KMS keys).*dedicated-public-vpc, shared-vpc
ManagedPolicyArns (#)Optional comma-delimited list of IAM managed policy ARNs to attach to the IAM role of the EC2 instances.dedicated-public-vpc, shared-vpc
PermissionsBoundary (#)Optional IAM policy ARN that will be used as the permissions boundary for all roles.dedicated-public-vpc, shared-vpc
S3BucketRestriction (#)Restrict access to specific S3 buckets (e.g. arn:aws:s3:::bucket-a,arn:aws:s3:::bucket-b or * to allow access to all S3 buckets).*dedicated-public-vpc, shared-vpc
S3ObjectRestriction (#)Restrict access to specific S3 objects (e.g. arn:aws:s3:::bucket-a/*,arn:aws:s3:::bucket-b/* or * to allow access to all S3 objects).*dedicated-public-vpc, shared-vpc
Scan (#)
SophosLiveProtectionCloudLookups (#)Live Protection cloud lookups use Sophos' SXL technology and infrastructure to enable the antivirus engine to determine whether a suspicious file is malicious or clean by querying Sophos's extensive database of both malware and clean files. SXL improves detection rates and lowers false-positives. The file hash is shared with Sophos if you enable this feature!falseOne of true, falsededicated-public-vpc, shared-vpc
VPC (#)
AssociatePublicIpAddress (#)Specifies whether to assign a public IP address to the group's instances (set to true in public subnets, false in private subnets).trueOne of true, falseshared-vpc
FlowLogRetentionInDays (#)Specifies the number of days you want to retain VPC Flow Log events (set to 0 to disable).14One of 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653dedicated-public-vpc
HttpsProxy (#)Optional forward proxy for outbound HTTPS communication to https://metering.marketplace.REGION.amazonaws.com, https://REGION.savmirror.bucketav.com. You must add a security group in parameter SecurityGroupIds to allow outbound communication with your reverse proxy.shared-vpc
SecurityGroupIds (#)Optional comma-delimited list of security group IDs to attach to the EC2 instances.shared-vpc
SSHIngressCidrIp (#)Optional ingress rule allows SSH access from this IP address range (e.g., access from anywhere: 0.0.0.0/0, from single public IP address 91.45.138.21/32).dedicated-public-vpc, shared-vpc
SSHIngressSecurityGroupId (#)Optional ingress rule allows SSH access from this security group.shared-vpc
VpcCidrBlock (#)The IPv4 network range for the VPC, in CIDR notation (e.g., 10.0.0.0/16).10.0.0.0/16dedicated-public-vpc
VpcSubnetCidrBits (#)The number of subnet bits for the CIDR (e.g., a value 8 will create a CIDR with a mask of /24).126-14dedicated-public-vpc

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email