
The typical enterprise organization stores high volumes of data in cloud storage services such as Amazon S3– with much of this data being sensitive or otherwise business critical in nature. Particularly for organizations who leverage data lakes built on Amazon S3, the sheer volume of data housed within one (or a few) individual storage resources is staggering. Scaling cloud infrastructure requires implementing proper access controls and comprehensive malware protection. These measures limit exposure to bad actors and unintended user mistakes, protecting against data breaches, system disruptions, and financial losses. Implementing these controls secures the cloud and helps achieve certifications like ISO 27001. Cloud Storage Security Antivirus for Amazon S3 enhances Amazon S3's native features, offering advanced antivirus scanning and malware protection.
As a DevSecOps engineer managing your organization's data lake, you handle live and archived data, including large, non-sensitive files for machine learning models. Your organization, preparing for ISO 27001, needs best practices for access control and malware protection. Regulatory compliance demands appropriate access controls, ensuring only authorized users access data based on need. Stricter controls are necessary for sensitive data. This protects confidentiality, integrity, and ensures data availability. Begin by classifying data, defining roles, and identifying necessary access. Then, grant access using ACLs, RBAC, or MFA plus ABAC for highly sensitive data.
AWS provides a well-architected framework and features to implement best practices for data lake compliance:
General Cloud Best Practices:
- Principle of Least Privilege: Grant users minimal necessary access using IAM roles, granular policies, and groups.
- Multi-factor Authentication (MFA): Enforce MFA organization-wide, especially for sensitive data.
Amazon S3 Best Practices:
- Credentials: Never use root account credentials for S3 access.
- Bucket Policies and Regular Access Review: Restrict public access, define granular permissions, and regularly revoke unused IAM permissions.
- S3 Server Access Logging: Capture detailed logs of all S3 bucket requests.
- Monitoring and Alarms: Use CloudWatch to monitor S3 for unauthorized access or suspicious activities.
- Data Encryption: Encrypt data at rest using S3 Server-side encryption, S3 KMS, or S3 bring-your-own-encryption key options.
AWS Lake Formation offers centralized security controls and simplifies data lake setup, providing fine-grained access control and comprehensive audit capabilities. Combined with Cloud Storage Security's antivirus solution, it creates a robust security framework addressing access control and threat prevention.
While internal risks are mitigated by access controls, external threats, like malware, still pose the risk of data breaches, system disruptions, and financial losses. Remember the shared responsibility model: AWS handles underlying security, and you protect your S3 data lake.
Regulatory compliance requires malware protection for data confidentiality, integrity, and availability. Key requirements include virus scanning on data upload, scheduled scans, and versioning to protect against deletion or modification. Although Amazon S3 offers native versioning capabilities, you need a tool that can:
- Perform real-time scans before file uploads.
- Schedule automatic scans of existing files.
- Implement a "two-bucket system" for clean production data.
- Use multiple scanning engines for comprehensive malware detection.
The tool must handle multi-account scans and files up to 5TB, keeping data within its AWS Region.
Cloud Storage Security’s Antivirus for Amazon S3 meets these needs with three industry-leading scanning engines (Sophos, CSS Premium, ClamAV) and flexible scanning options (scheduled, event-based, API-based). Its two-bucket configuration quarantines infected files, allowing only clean data to production. It also protects Amazon FSx, EFS, and EBS, and its dynamic analysis provides detailed malware behavior reports.
You can subscribe to Antivirus for Amazon S3 in the AWS Marketplace (with a 30-day free trial and container delivery). After subscribing, deploy via an AWS CloudFormation template. This initial setup provides an overview of S3 buckets. You can enable event-based scanning for new files or run scans on existing data.
Scanning processes are customizable:
- Multi-Engine Scanning: Configure multiple engines for accuracy and performance. For large data lakes, enable Extra-large file scanning for files up to 5TB.
- Infected File Handling: Choose to delete, quarantine, or retain infected files. Files are tagged according to customer-designated configurations.
- Associating Scan Output with S3 Object via Tag: Set tags for automatic association with S3 objects post-scan, useful for applications requiring clean file verification.
- Two-Bucket System Configuration: Designate source (dirty) and destination (clean) buckets. The antivirus automatically moves only clean files from source to destination.
Event-based scanning on a source bucket automatically scans and moves clean files to the destination. Proactive notifications are available for scan events and results. Antivirus for S3 integrates with existing AWS security, like AWS Security Hub, pushing scan findings to its console.
You've learned to use Antivirus for Amazon S3 for retro scans, automated event-based scanning, and the two-bucket system.
By implementing these security controls and Cloud Storage Security antivirus, you build a comprehensive security framework meeting compliance and protecting against internal and external threats. Integration with native AWS services ensures seamless deployment.
Key takeaways:
- Implement access controls for authorized, need-based data access.
- Use the Antivirus for Amazon S3 free trial for testing and feature evaluation.
- Configure scan settings for multiple engines and appropriate infected file actions.
- Set up on-event scanning for new files and retro scans for existing data.
Read the full article on the AWS seller prime blog
https://aws.amazon.com/marketplace/build-learn/security/enhance-amazon-s3-data-security
About Cloud Storage Security
Cloud Storage Security (CSS) offers customers the ability to deploy multi-cloud, multi-account, and multi-resource malware scanning to protect the entirety of their storage suite under one console. Customers choose CSS’ solution because it:
- Offers flexible scanning models – Scan existing data on a scheduled basis, as data is written to storage repositories, or even before it is written
- Offers multiple malware scanning engines – Using multiple enterprise-grade engines reduce false positives and false negative rates
- Is simple to deploy, configure, and live with – Initial deployment can be performed in under 15 minutes. In-console quarantine, the ability to set up scanning for all storage resources in a single click, and minimal maintenance can all be performed from the console
Cloud Storage Security (CSS) also provides customers with flat-rate pricing based on cloud spend or no. of employees, that allows customers to:
- Apply malware protection for their entire environment, including Amazon S3, Amazon EFS, Amazon EBS, Amazon FSx, Microsoft Azure Blob Storage, and Google Cloud Buckets
- Perform periodic rescanning to meet compliance requirements and detect dormant malware
If your organization is interested in learning more about securing its storage resources, get in contact with an SME at cloudstoragesecurity.com/contact or watch an in-depth demo at cloudstoragesecurity.com.
Organizations can also try out the solution for free for 30 days in AWS Marketplace.