While running this scanner, I found two potential workarounds for accessing infected files:
1) If too many objects are uploaded, and you reach the concurrent lambda limit, then files will not be tagged, and are therefore accessible. This can be fixed by changing the bucket policy to have this condition(for example):
"Condition": {
"StringNotEquals": {
"s3:ExistingObjectTag/scan-status": "CLEAN"
},
2) Also infected files can be accessed by changing the tags on the object itself. It might be a good idea to restrict tag permissions on infected files to the root user.
While running this scanner, I found two potential workarounds for accessing infected files:
1) If too many objects are uploaded, and you reach the concurrent lambda limit, then files will not be tagged, and are therefore accessible. This can be fixed by changing the bucket policy to have this condition(for example): "Condition": { "StringNotEquals": { "s3:ExistingObjectTag/scan-status": "CLEAN" }, 2) Also infected files can be accessed by changing the tags on the object itself. It might be a good idea to restrict tag permissions on infected files to the root user.