Amazon S3 Malware Scanning Using Trend Micro Cloud One and AWS Security Hub
By Suresh Kanniappan, Solutions Architect – AWS
By Tejas Sheth, Cloud Security Architect – Trend Micro
Cloud security is the highest priority at Amazon Web Services (AWS). With this in mind, AWS works closely with industry-leading partners such as Trend Micro to build security solutions for customers.
In this post, we share a malware scanning solution jointly built by Trend Micro and AWS that detects and automates response to malware payload uploaded to Amazon Simple Storage Service (Amazon S3). The solution uses Trend Micro threat intelligence capabilities and AWS Security Hub.
Trend Micro is an AWS ISV Partner with the Security Competency that delivers cloud-native security to automatically protect and scale across AWS, container, and hybrid environments.
Customers run various types of workloads on AWS that use Amazon S3, which is a highly scalable and durable object storage service for storing and processing sensitive data.
Malware protection of the data uploaded to S3 through an application is usually done through generic file type validation, but this is not an effective protection mechanism. Businesses need to scan the content written to S3 for malicious files and malware.
When dealing with malware, scanning isn’t the only problem; the bigger challenge is detecting malware quickly and acting on it. Malware finding alerts from Trend Micro can be integrated with AWS Security Hub for centralized event management and corrective actions, such as isolating the content and blocking the offending IP address and user agent.
Trend Micro Cloud One
Trend Micro Cloud One is a security services platform for cloud builders that enables AWS customers to secure cloud workloads with clarity and simplicity. It’s purpose-built security for cloud-native applications.
Trend Micro Cloud One uncovers indicators of compromise (IoC) and indicators of attack (IoAs). It can detect cloud workload, and container platform attacks with detailed root cause analysis.
The platform also integrates with various developer tools like continuous integration/continuous delivery (CI/CD) pipeline, developer IDE, and code repository to provide faster feedback to developer to mitigate risk at early stage for development.
For technical details, see the Trend Micro Cloud One documentation.
Figure 1 – Trend Micro Cloud One security services.
Cloud One File Storage Security is one of the security services in Trend Micro Cloud One. Cloud-native application architectures incorporate cloud file/object storage services into their workflow, creating a new attack vector where they are vulnerable to malicious files.
File Storage Security protects the workflow using serverless event-driven scanning, such as malware scanning, integration into your custom workflows, and broad cloud storage platform support.
How it Works
Cloud One File Storage Security looks for obfuscated or polymorphic variants of malware through fragments of previously seen malware and detection algorithms. It blocks known bad files using Trend Micro anti-malware signatures on all types of malware, including viruses, Trojans, spyware, and more. Irrespective of file size, Cloud One file storage security supports files of various types including .BIN, .EXE, .JPEG, .MP4, .PDF, .TXT, .ZIP, and more.
Cloud One File Storage Security with AWS integration has four components:
- Storage stack
- Scanner stack
- Post-scan action
- Import findings to AWS Security Hub
Figure 2 – Malware Scanning Solution with AWS.
When a user or application writes or uploads files to the staging S3 bucket, the Bucket Listener Lambda function is triggered to gather the object details and send the pre-signed URL link for that object. The pre-signed URL is passed to Amazon Simple Queue Service (Amazon SQS) Scanner Queue in the Scanner stack.
The Scanner Lambda code retrieves the object pre-signed URL message from SQS Scanner Queue, finds the files in S3 using the pre-signed URL location, performs scanning on the file, generates file identification information, and sends it to the Trend Micro Global Smart Protection Server in the cloud.
The Trend Micro Global Smart Protection Network scans the file identification information (and not the file). The scan results are sent back to the Scanner Lambda function.
The Scanner Lambda function publishes the scan results to the SNS ScanResult topic and sends the scan results to the File Storage Security console.
The possible post-scan actions include:
- Notify the user about the malware detection.
- Quarantine the malware-infected objects.
- Delete the malware-infected objects permanently.
- Create a delete object reference from the database (such as Amazon DynamoDB) for batch deletion.
This post specifically covers quarantining the malware-infected objects, which is the second post-scan action.
The SNS ScanResult topic provides notification of the new scan results to the custom post-scan Lambda function. The custom post-scan Lambda analyzes the scan results and either moves the files to the production bucket if it’s clean, or quarantines the files to the quarantine bucket if malware content is detected.
Import the Findings to AWS Security Hub
The SNS ScanResult topic notifies the new scan results to the Security Hub Import Lambda function, which collects the details of the S3 objects, malware, and more. It then imports the findings to AWS Security Hub using a standard format called the AWS Security Finding Format (ASFF).
The security and operations teams can use AWS Security Hub to analyze the malware findings and take remedial actions.
Prerequisites for the Malware Scanning Solution
For this walkthrough, you should be familiar with the following AWS services:
- AWS Security Hub
- AWS Serverless Application Model (SAM)
- Amazon S3
- AWS Identity and Access Management (IAM)
- AWS Lambda
- Amazon Simple Queue Service (SQS)
- Amazon Simple Notification Service (SNS)
- AWS CloudFormation
You should also have the following before deploying the malware scanning solution:
- AWS account
- Enable AWS Security Hub. Refer to the AWS Security Hub user guide to Enable AWS Security Hub
- You need three S3 buckets:
- Staging bucket
- Production bucket
- Quarantine bucket
- IAM user permissions to deploy a CloudFormation stack:
- Permission to deploy an AWS Lambda function
- Permission to configure an IAM role for the Lambda function
- Permission to configure an SNS subscription
- Trend Micro Cloud One Subscription
- Create a Cloud One account
- Subscribe for a 30-day trial version
You need to complete the following steps to enable the S3 malware scanning solution:
- Enable Trend Micro Cloud One File Storage Security
- Enable post-scan actions
- Push malware findings to AWS Security Hub
Step 1: Enable Trend Micro Cloud One File Storage Security
Step 2: Enable Post-Scan Actions
To enable post-scan actions, follow the instructions in the Trend Micro GitHub portal.
Step 3: Push Malware Findings to AWS Security Hub
To push malware findings to AWS Security Hub, the serverless plugin needs to be deployed and configured with an SNS topic created by the Scanner Stack as part of enabling File Storage Security (Step 1).
Complete the following steps to deploy the serverless plugin to integrate AWS Security Hub with Trend Micro File Storage Security:
- Deploy the serverless plugin by logging in to AWS using the link AWS Serverless Application Repository.
Figure 3 – Cloud One File Storage Security Serverless Plugin for AWS Security Hub.
- In Application settings, enter your AWS Account ID and AWS Security Hub ARN as follows:
- AWSACCOUNTNO: <Provide your AWS Account ID>
- AWSSecurityHubARN: arn:aws:securityhub:<REGION>:<AWSACCOUNTNO>:product/<AWSACCOUNTNO>/default
Figure 4 – Cloud One Serverless Plugin for AWS Security Hub – application settings.
- Copy the ScanResultTopicARN from the scanner CloudFormation stack output (from Step 1).
Figure 5 – Cloud One File Storage Security deployment output from step 1.
- Enter the ScanResultTopicARN for the serverless application parameter, provide acknowledgment to create the custom IAM role, and select Deploy.
Figure 6 – Cloud One Serverless Plugin for AWS Security Hub – Application Settings.
- To verify that deployment of the serverless plugin was successful, check that the Status field shows Create complete.
Figure 7 – Cloud One Serverless Plugin for AWS Security Hub – Deployment Status.
Step 4: Validation
To test your malware scanning solution deployment, you need to generate malware detection using the eicar file.
- To create the eicar file:
- Temporarily disable your virus scanner on the laptop or server. Otherwise, it will detect the eicar file and delete it.
- Create a sample-malware.txt file and paste the following sample malicious content.
Important: The preceding string creates a standard anti-malware sample that doesn’t harm the system. Because anti-malware on your testing laptop is off, we strongly recommend performing this test in an isolated environment.
- Add the eicar file to your staging S3 bucket:
- In the AWS console, go to Services > S3 and find the staging S3 bucket to scan.
- Select Upload and upload a sample-malware.txt file. File Storage Security scans the file and detects malware.
- Examine the quarantine bucket and check that the malicious sample file has moved from the staging bucket to the quarantine bucket.
Figure 8 – Malware-infected object moved to quarantine S3 bucket.
- You can see the scan results on the AWS Security Hub findings page.
Figure 9 – Malware-infected Objects Finding in AWS Security Hub.
- After testing is complete, re-enable your virus scanner.
In this post, we described how to detect, quarantine, and manage malware-infected objects in Amazon S3 using Trend Micro Cloud One File Storage Security and AWS Security Hub. We hope this helps you to integrate AWS Security Hub with Trend Micro File Storage Security and manage malware findings through AWS Security Hub.
For deployment support, please reach out to Trend Micro for further assistance to validate the file storage security.
Trend Micro – AWS Partner Spotlight
Trend Micro is an AWS Competency Partner that helps you build secure, ship fast, and run anywhere with security-as-code, continuous automation, and tools designed to secure applications across your evolving hybrid environment.
*Already worked with Trend Micro? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.