Best Practices from OPSWAT to Secure AWS Applications from File-Borne Threats
By Adam Rocker, Sr. Product Manager, Application Security – OPSWAT
By Akshara Shah, Sr. Solutions Architect – AWS
Digitally transformed enterprises often rely on cloud-native applications to transfer business-to-business files, handle customers’ personal data, or communicate with internal and external stakeholders to maintain business productivity and continuity.
However, these file upload portals can expose threat vectors which create cybersecurity risks, leaving organizations vulnerable to malware infiltration, data breaches, and ransomware which can lead to financial and reputational damage.
Threat actors can upload malicious files to an enterprise network to gain control of their infrastructure; or internal employees can inadvertently reveal personally identifiable information (PII), protected health information (PHI), or proprietary data, causing their organization’s sensitive data to be compromised.
While a variety of security mechanisms exist within Amazon Web Services (AWS) to protect the integrity of the hosted network, organizations must not ignore the security within the network. This shared responsibility requires security architects to take proactive measures to detect and prevent zero-day risks and other malware at the perimeter of their network.
In this post, we will discuss potential risks associated with cloud applications that handle file uploads and transfers, and some of the best practices to help mitigate these risks. We’ll also provide guidance on modern threat prevention technologies, such as OPSWAT MetaDefender, that can help augment and automate the cybersecurity defense in an AWS enterprise cloud infrastructure.
Risks Associated with File Upload Applications
Applications that frequently handle file transfers—whether resumes, invoices, financial forms, installers, or patches—can become a target for cyberattacks.
Some main types of risks with file upload applications include:
- Attacks on infrastructure: Threat actors can exploit vulnerabilities to upload malicious content which overwrites an existing file. For example, if an .htaccess file is compromised, they can use the new file to launch a server-side attack. This can cause the web application to stop functioning or compromise the security settings, and allow attackers to upload more malicious content or install and distribute ransomware.
- Attacks on your users: Attackers can leverage social engineering to lure internal users to open an uploaded malicious file. This may be an exploit, malware, malicious script, or macro, and it allows the attacker to gain control of infected users’ machines the moment the file is opened or downloaded.
- Disruption of services: Threat actors can launch a flood attack (or DDoS) where extremely large or complex archives or a specially crafted “zip bomb” is uploaded to the file portal. This causes high resource consumption on the server, and disrupts the organization’s business continuity.
Shared Responsibilities in Web Application Security
The AWS Shared Responsibility Model suggests that security and compliance should be mutual between AWS and customers. The shared responsibilities help customers offload some operational burdens, as AWS provides security controls for the infrastructure—from the operating system layer, identity and access management (IAM) roles, and virtualization layer to the physical facilities.
Meanwhile, AWS customers are responsible for securing their platforms, applications, systems, and networks deployed in the cloud, as well as the content hosted within the cloud.
Preventing Malicious File Uploads in AWS Web Applications
Best practices are developed to provide administrators with a shortcut of sorts, outlining the important but sometimes overlooked low-hanging fruit when implementing effective network security. These best practices act as the nearly universally agreed-upon simple security rules to reduce threat exposure.
Taking advantage of these allows security admins to implement tried and tested controls that help reduce the level of white-noise distractions so they can focus on higher severity issues.
Using this checklist for inspiration, here are some proactive measures organizations can take to prevent malicious files from entering their web application portals:
- Only allow specific file types: Malware and malicious payloads can be hidden within many common productivity file types. Filtering out file types that do not conform to the organization’s security policy can help avoid unnecessary cybersecurity risks. OPSWAT recommends organizations make strategic decisions on which kinds of files employees and users need, and which are considered unnecessary. Limiting certain file formats does not guarantee complete protection against malicious file uploads, but it’s a start to eliminating risks.
- Verify file types: In addition to restricting the file formats, it’s important to ensure no malicious files are disguised under a legitimate file type. Spoofing the true file type is a common method for hiding malicious software. For example, if an attacker renamed a .exe file that contains malware to a .docx file, then the file can bypass the defense system as a Word document while, in fact, it is not. Therefore, it’s essential to implement a solution that can identify the true, original file type to prevent this attack technique.
- Scan all incoming files for malware: Every file entering an application should be scanned for potential threats. Enterprises can minimize risks by implementing multiscanning—a technology utilizing multiple anti-malware engines (with a combination of signatures, heuristics, and machine learning detection methods) to yield the fastest and highest malware detection rate.
- Remove possible embedded threats: Malware is evolving and increasing in complexity, allowing it to evade traditional defense systems. For instance, zero-day malware can easily bypass signature-based antivirus engines which limit detection to only known threats. Moreover, productivity files such as Microsoft Office, PDF, and image files can contain embedded threats in hidden macros and scripts. These threats are also not always detectable with anti-malware engines. One effective prevention-based methodology that can remove any potential malicious embedded object is Content Disarm and Reconstruction (CDR).
- Set character limits for name length and file size: To reduce the risks of a potential DDoS or flood attack that can lead to business service disruption, it’s best practice to restrict the number of characters for file name lengths and set a maximum size for file uploads.
Protect Cloud-Native Apps with OPSWAT MetaDefender
OPSWAT MetaDefender is available in AWS Marketplace and is a leading platform for detecting and preventing malicious file uploads. It offers an advanced, multi-layered security platform for enterprise cloud assets in AWS.
The solution helps prevent known and unknown malware and advanced persistent threats (APTs) from infiltrating AWS cloud deployments, protecting enterprise-critical data from deliberate theft and inadvertent breaches.
Key features of OPSWAT MetaDefender include:
- Multiscanning: Utilizes 30+ commercial anti-malware engines to proactively detect over 99% of known malware via signatures, heuristics, and machine learning.
- Deep CDR (Content Disarm and Reconstruction): OPSWAT proprietary data sanitization technology eliminates zero-day and unknown malware, even when hidden deeply inside productivity files, images, or archives.
- Proactive DLP (Data Loss Prevention): Helps manage compliance and regulate data from leaving or entering the organization’s systems.
- File-based vulnerability assessment: Scan and analyze binaries and installers to detect application vulnerabilities (CVEs) before they are executed on endpoint devices.
- Actionable intelligence: Clear and concise dashboard highlights the threats and vulnerabilities affecting your data.
- Malware analysis and investigation support: Cloud-native sandbox integration allows for rapid extraction of indicators of compromise (IOCs) and actionable contextual clues to inform incident response teams.
Figure 1 – OPSWAT MetaDefender threat detection and prevention features.
Benefits of OPSWAT MetaDefender include:
- Comprehensive threat detection and prevention in one platform.
- Protect AWS-hosted networks and applications against known and unknown malware, APTs, evolving sophisticated malware, zero-day attacks, application vulnerabilities, and sensitive data breaches.
- Simple deployment via REST API, webhook, Internet Content Adaptation Protocol (ICAP), or native Amazon Simple Storage Service (Amazon S3) integration.
- High performance and scalability to any volume; fast scanning and reconstruction without affecting performance.
- Low total cost of ownership (TCO) with single-source licensing and updating.
OPSWAT MetaDefender on AWS
The MetaDefender platform gives you the flexibility to incorporate a comprehensive security platform within your existing AWS infrastructure via deployment options that work seamlessly with your technology stack.
AWS deployment options include:
- MetaDefender Core Container: Automated deployment and on-demand scaling in a stateless microservices environment; supports Amazon Elastic Kubernetes Service (Amazon EKS) and container environments (such as Docker).
- Packaged installer: Deploy the application to a self-hosted operating system (OS) on-premises or in AWS.
- Amazon Machine Image (AMI): Pre-configured image which contains all information required to launch one or more instances of the application within Amazon Elastic Compute Cloud (Amazon EC2).
Figure 2 – MetaDefender Core Container provides native support for Amazon EKS.
Use Cases and Integration Options
MetaDefender offers several integration options to streamline deployment within your existing AWS environment. In addition to an extensive API which allows developers to connect custom applications hosted in AWS, it offers native Amazon S3 storage support and direct integration with the most common security appliances used to protect self-hosted web applications.
Amazon S3 Use Cases
Following the AWS Shared Responsibility Model, AWS provides the data availability, data resiliency, and underlying infrastructure to provide for security of the Amazon S3 storage environment.
It’s still incumbent upon a network’s security architect to provide file security for the data stored within S3. These responsibilities include maintaining regulatory compliance (PCI-DSS, HIPAA, GDPR, NIST), protecting against malware entering the application or storage environment, implementing access controls and identity management, and prevention of data leakage, among others.
Figure 3 – Compliance standards and regulations.
A data protection strategy should also include functionality that extends beyond legacy antivirus protection to counter the ever-expanding threat landscape and targeted malware. This may include advanced technologies that can analyze files using multiple commercial antivirus scan engines, data sanitization to remove embedded or unknown threats, and prevent sensitive data leakage.
This combination of security measures provides robust protection for the S3 storage environment:
- Inspect and sanitize files in real-time as they are uploaded or updated in S3.
- Prevent latent outbreaks by sanitizing backup and recovery files.
- Protect sensitive data to maintain compliance and organizational integrity.
AWS-Hosted Web Application Use Cases
The AWS Shared Responsibility Model also applies to network traffic moving through web applications hosted in AWS.
AWS network and application protection services provide fine-grained network protection at the host, network, and application-level boundaries. These measures secure the environment from network-based threats, but do not offer visibility into the file content contained within the network traffic.
MetaDefender offers AWS security architects the option to seamlessly integrate deep content inspection to secure web applications from malicious file uploads, fulfilling the customer responsibilities.
MetaDefender integrates with any network security appliance which supports the ICAP protocol, making deployment to your AWS environment a plug-and-play integration, without the need to modify your existing infrastructure.
In addition, MetaDefender offers a certified NGINX module to secure NGINX Open Source and NGINX Plus for Amazon EKS environments. This enables modern application teams to easily incorporate a comprehensive file security layer as they adopt the microservices architecture.
- Sanitize all financial information, resumes, invoices, and other productivity documents prior to being uploaded to a web application.
- Additional layer of content inspection at the perimeter of the network (shift left security).
- Inspect and sanitize content within SSL network flows.
Figure 4 – MetaDefender ICAP Server is a plug-and-play solution for network traffic security.
With leading malware prevention technology, OPSWAT web application security offers a comprehensive threat prevention solution for networks hosted in AWS.
The OPSWAT MetaDefender platform provides enterprises with an additional security layer, helping detect more malware faster, prevent zero-day attacks, and maintain regulatory compliance.
MetaDefender offers flexible deployment options and a plug-and-play solution that can easily integrate with your existing architecture. Whether securing web applications or enterprise file storage, OPSWAT can help protect your data, employees, and customers.
OPSWAT – AWS Partner Spotlight
OPSWAT is an AWS Security Competency Partner that provides software solutions to secure and manage IT infrastructure, protecting devices and helping secure digital data flow.