%20(3)-1.png?quality=high&width=1900&height=1250&name=CSS%20-%20Blog%20(Featured%20Images)%20(3)-1.png)
%20(1).png?width=2000&height=1125&name=CSS%20-%20Blog%20(Featured%20Images)%20(1).png)
%20(1920%20x%201080%20px)%20(18).png?width=820&height=547&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(18).png)
TL:DR
Cloud Storage Security brings malware protection to Amazon EFS by scanning files in place inside your AWS account with multiple engines. You can schedule or run on demand scans, apply tag quarantine or delete actions, and stream findings to CloudWatch and your SIEM without moving data outside your environment.
Cloud Storage Security adds malware protection for Amazon EFS by scanning files in place inside your AWS account. You can run on demand or scheduled scans, apply policy actions, and stream results to CloudWatch and your SIEM. No data leaves your environment.
Keeping file storage secure in the cloud is a complex task. As environments grow, file data can spread across accounts and regions. That creates blind spots that attackers can exploit, leading to exposure, infections, and financial loss.
Amazon Elastic File System simplifies shared storage for application hosting, machine learning, media processing, content management, financial analysis, and high performance computing. While EFS includes strong native security controls, it does not scan files for malware by default. That is where Cloud Storage Security provides a critical layer of protection.
Cloud Storage Security adds proactive malware scanning to Amazon EFS and lets you detect and act on malicious content directly in your AWS account. The solution runs inside your environment, so no data ever leaves your control. With multiple scanning engines, automated actions, and detailed reporting through Amazon CloudWatch, it helps you stop threats before they spread.
Why Malware Protection for Amazon EFS Matters
Shared file systems are fast and convenient. That same accessibility can let infected files move across workloads. If a malicious object enters through one process or user, it can quickly reach others who share that storage. Scanning at the file system level helps prevent ransomware, trojans, and other threats from gaining a foothold.
By adding malware protection, security teams ensure that every file entering or leaving EFS is checked for risk. This keeps shared data clean and compliant.
Overview of Cloud Storage Security for EFS
Overview of Cloud Storage Security for EFS
Cloud Storage Security integrates with AWS native services for scanning, reporting, and policy enforcement without moving data out of your account.
Key capabilities include
- In-tenant deployment that keeps all data inside your AWS environment
- Multiple scanning engines including Sophos, CSS Premium, and CSS Secure
- On demand and scheduled scanning to match your operations
- Policy actions to tag quarantine or delete infected files
- Visibility in the CSS console, Amazon CloudWatch, and Amazon DynamoDB
- Simple routing to your SIEM for incident response and audit evidence
How the Solution Works
Cloud Storage Security uses core AWS services to discover, scan, and record file activity.
-
Discovery: The system identifies EFS file systems in your AWS account so you can choose what to protect.
-
Mounting and Enumeration: It creates an access point and mounts the file system to scanning agents that run on AWS Fargate. One agent walks the directory structure and queues files in Amazon Simple Queue Service.
-
Scanning: A second agent reads from the queue and scans each file directly on the mounted EFS. No data is copied or moved outside your environment.
-
Actions and Reporting: Depending on your policy, infected files can be tagged, quarantined, or deleted. Results are stored in CloudWatch and DynamoDB for visibility and analytics.
For best performance, place scanning agents in the same Availability Zone and subnet as the EFS mount targets.
Validating with a Safe Test
You can confirm end to end scanning with a simple EICAR validation.
-
Mount your EFS file system to an EC2 instance.
-
Copy the EICAR test file to the EFS mount point using SCP.
-
Run an on demand scan and confirm detections in the CSS console and CloudWatch log group named CloudStorageSecurity.Agent.ScanResults.
This lets you verify that the solution detects and reports threats as expected.
Deployment in Four Steps
Step 1: Subscribe in AWS Marketplace
Search for Cloud Storage Security Malware Protection for Amazon EFS and select the pay as you go free trial. Accept terms, choose console deployment, and continue to launch. Under Deployment template, choose Launch Malware Protection for EFS Deployment. This takes you to the CloudFormation console. If you prefer to deploy through Terraform, follow these steps.
Step 2: Deploy the CloudFormation Template
Provide your stack name, VPC ID, two subnets in different Availability Zones, an email for console access, and a console security group CIDR. When deployment completes, you will receive a console link and temporary password by email. Log in and change your password. Reference “Steps to deploy” in CSS Help Docs for more guidance.
Step 3: Configure Protection
In the CSS console, go to Protection → AWS → EFS file systems. Select the file systems you want to scan. Choose Scan Existing AV for an immediate sweep or Create AV Schedule for recurring jobs. Under Job Networking, confirm that the subnets align with your EFS mount targets.
Step 4: Review Results
Monitor progress under Monitoring → Jobs and view results under Findings. Files labeled as suspicious, infected, or unscannable will be listed with details. Results are also published to CloudWatch, where they can be exported or forwarded to your SIEM for incident response.
Best Practices
• Start with two scanning engines for balanced performance and coverage
• Prioritize high risk paths such as ingestion folders and restore directories
• Schedule scans during maintenance or low activity periods to minimize impact
• Keep results organized with regular exports for audit readiness
• Combine with EFS encryption, IAM policies, and network controls for layered defense
Clean Up
When testing or proof of concept work is complete, remove deployments from Monitoring → Deployment in the CSS console and delete the CloudFormation stack in the AWS console. This will stop any active resources and avoid unnecessary charges.
Conclusion
Amazon EFS delivers simplicity and elasticity for shared storage. Cloud Storage Security adds an essential layer of protection that ensures those files stay safe. By scanning data where it lives, inside your AWS environment, you eliminate blind spots and maintain control. The combination of multi engine detection, automated actions, and audit ready evidence gives teams confidence that their shared storage is secure.
Frequently asked questions
Does data ever leave my AWS account
No. Cloud Storage Security is deployed in your account and scans files where they live on EFS.
Which detection engines are available
Sophos, CSS Premium, and CSS Secure. Many teams start with two engines and tune from there.
Can I automate response
Yes. You can tag quarantine or delete infected files and forward findings to CloudWatch and your SIEM.
How do I validate safely
Mount EFS to a small EC2 instance, place the EICAR test file on the EFS mount, run an on demand scan, and review Findings and the CloudWatch log group described above.
Read the full AWS blog: Malware protection for Amazon Elastic File System with Cloud Storage Security
Explore our antivirus solution: Cloud Storage Security Antivirus for Cloud Storage
Share:
