Antivirus Scan for Amazon S3 bucket with demo!!

Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. Many applications deployed in AWS cloud services rely on Amazon S3 for storage of data because of their ease of use. The data stored in Amazon S3 are often shared with downstream processes and users. Hence an infected file placed in S3 bucket can impact whole downstream processes that rely on that bucket for processing. There is high probability that you may see an infected file because files often get uploaded by third parties and you don’t get hold on every file that gets ingested. Also a file can possibly be infected with malware, viruses, ransomware, trojan horses, and more. In case of these malicious files being downloaded or accessed by downstream processes or users, the processing systems itself will get negatively impacted and it impairs the organization reputation. We need an automation process that takes control and notifies you in case of any malicious files being uploaded to the protected bucket.

Validating objects on Events (Create)

Cloud Storage Security, Antivirus Scan for Amazon S3 bucket comes for the rescue to avoid this issue. It is backed by dual virus detection engines, Sophos and ClamAV(open source engine). The solution is capable of scanning S3 objects as large as 5TB (the maximum S3 object size) and the scanned files/objects never leave your region that gives the user the confidence that the data is secure. Also, it supports four scanning methods — Event, Retro, API and Amazon S3 proxy.

• Event — scan new/modified objects
• Retro — scan existing objects
• API — scan objects inside or outside of AWS via a REST-based API before they are written to Amazon S3
• Amazon S3 Proxy — scan objects on intake before they are written or on access when they are retrieved by leveraging the Amazon S3 APIs you are already using (PUT, POST, GET)

The software provides scanning either on demand or real-time based on the configuration. You can pay only for what you scan. Please find the detailed steps below, demonstrating the object scanning for “Event” method.

Step 1: Go to AWS Marketplace and search for “Antivirus for amazon S3”, you will be listed with the options and choose Cloud Storage Security solution — Antivirus for Amazon S3.

Step 2: Subscribe to the solution by clicking on “Continue to Subscribe” button and this enables the service on your AWS account.

Once subscribed, click on “Accept Terms”

The Effective Date and Expiration Date will change to Pending and once approved, click the Continue to Configuration button.

Approved status:

At the end of this step, we are successfully subscribed to the service Cloud Storage Security Solution.

In the next window, we are asked to choose the configuration for the software. Leave the default values and click “Continue to Launch”.

At the bottom of the page, choose “Click to Launch Antivirus for Amazon S3 Deployment” under Deployment template. This will open up a separate tab for deploying the software as an Amazon Elastic Container Service (ECS) container and set of resources. This is done using a CloudFormation Template. The next step is to choose the required configurations to start the resources deployment.

The CloudFormation Template deploys the following resources once initiated,

1. ECS Fargate Cluster with 1 Service and Task
   (This is used to run the Antivirus for Amazon S3 Management Console)
2. DynamoDB; AppConfig
   (This is used to save data for the software)
3. IAM Roles and Policies
4. Cognito UserPool
   (Used for user management)
5. SNS Topic and CloudWatch Log Groups → Streams
   (These are used for logging and notification purposes)
6. Load Balancer (optional)

Step 3: The CloudFormation Template is used to install all resources required and run the software for antivirus scanning on S3 objects. In this post, we will follow the simple deployment set up. For the default simple setup, you have to specify the following 5 configurations to start the software.

1. Virtual Private Cloud ID
2. Subnet A ID
3. Subnet B ID (Both A & B ID should be different else error will be thrown)
4. Console Security Group CIDR Block to access the Antivirus for Amazon S3 Management Console from anywhere.
5. Email ID

Give the acknowledgement and click on “Create Stack”. The stack will have status changed from “CREATE_IN_PROGRESS” to “CREATE_COMPLETE” in a few seconds.

Once the stack is successfully created, navigate to the outputs tab and see the details like url for Antivirus for Amazon S3 Management Console, username and password (emailed to the email ID you have given previously).

Step 4: The final step is to set up the anti-malware detection.

Use the webaddress in the outputs tab to access the antivirus. A temporary password would have been sent to the email address you provided in the above step. Use it to set the new password and login to the app.

In below screenshot, you can see the homepage of the app.

Navigate to the Bucket Protection tab and you can see the list of buckets available in your account.

Choose the bucket you want to enable scanning and click on Actions and “Turn On Selected”.

You will be prompted to choose if you want to scan the existing objects in the selected bucket for Scanning. For this demo, I choose “Don’t Scan” to avoid any additional charges.

Once enabled, you can see the bucket being highlighted in green color to notify it is protected.

To validate the scanning process, I tried uploading a file to the protected bucket.

Once uploaded, click on the object and scroll down to the “Tags”, you can see the scan result.

Thats it!! Your bucket is now protected on new objects ingestion. With advanced configurations, you will have fine grained control over the protection process.