Malware Scanning for Regulated Workloads on AWS with Cloud Storage Security
By Sarah Heiermann-Walker, Director of Marketing – Cloud Storage Security
By John Tonini, VP Sales – Cloud Storage Security
By Michelle Peterson and Gregory Carpenter, Security Partner Strategists – AWS
|Cloud Storage Security|
United States federal government agencies and contractors are required to comply with National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) to protect their data and information systems, and many state and local governments follow suit as a best practice.
NIST 800-53 Revision 5 has dozens of controls referencing malicious code, with the System and Information Integrity family control SI-3 explicitly covering malicious code protection.
Agencies that collect and serve data need to integrate malware scanning into that process for data security and compliance purposes; for example, storing objects that may be infected with malware, viruses, or other malicious files without scanning them for advanced threats may become a vector for virus payloads.
In line with the AWS Shared Responsibility Model, it’s up to the cloud customer to ensure their data is free of malware; Amazon Web Services (AWS) does not scan the data going into or out of managed storage services for advanced threats on the data going into or out of managed storage services.
The U.S. government-wide Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach by which cloud service offerings (CSOs) undergo security assessment, authorization, and monitoring in order to gain clearance for use by federal agencies.
FedRAMP security control requirements comprise the most recent version of NIST 800-53 for moderate or high impact levels in accordance with Federal Information Security Modernization Act (FISMA) of 2014.
Many of the requirements for meeting and maintaining a secure environment can be met by using AWS FedRAMP-authorized regions and services, which can simplify and reduce costs of the process. Over 2,000 government agencies and other entities that provide services to government agencies are using AWS services today.
Cloud Storage Security (CSS) is an AWS Public Sector Partner and AWS Marketplace Seller with an AWS qualified software offering, AWS Security Competency, and an AWS Global Security & Compliance Acceleration designation. CSS helps customers automate and accelerate compliant workloads on AWS through its malware detection, sensitive data discovery, and storage assessment solutions for AWS cloud storage services.
In this post, we discuss how Antivirus for Amazon S3 by CSS can be used to automate malware scanning for application workflows or data ingestion pipelines to achieve data security and compliance.
AWS Services, Regions, and CSS Inherited Controls
AWS services within various AWS regions can be leverage along with CSS-inherited controls to support FedRAMP. This includes services within AWS US East-West commercial regions authorized at FedRAMP Moderate and AWS GovCloud (US) regions at FedRAMP high. This means agencies can place their moderate-impact classified workloads on AWS US East-West and high-impact classified workloads on AWS GovCloud (US).
A comprehensive list of the covered AWS services that are in scope within each region can be found in the AWS Services in Scope by Compliance Program.
CSS solutions are built on AWS using AWS FedRAMP Authorized Services and operate out of the customer’s AWS environment. When software sits on a FedRAMP Authorized infrastructure, it inherits controls are inherited from that authorized system. The AWS services CSS is built on and integrates with are at the classified impact level determined by the agency’s FedRAMP Moderate or FedRAMP High requirement.
Figure 1 – AWS services used by CSS and their FedRAMP status.
Building Compliant Workloads with Antivirus for Amazon S3
Organizations that are or looking to be compliant with regulated framework(s) need to continually improve and maintain their security posture. To do this they utilize automation, including but not limited to CSS’ automation of:
- Infrastructure as code (IaC) via use of AWS CloudFormation and configuration rules.
- Account protections using multi-account protection via AWS Control Tower.
- Processes that initiate malware scanning in real-time or by schedule.
CSS’s Antivirus for Amazon S3 is an AWS Fargate, container-based solution that can run in AWS commercial and AWS GovCloud (US) regions. One container houses CSS’ management console and the other more prevalent set comprises scanning agents. The solution deploys into the customer’s AWS environment so data never leaves the environment. A CloudFormation template simplifies and automates deployment.
Protection is also automated. Once deployed, Amazon Simple Storage Service (Amazon S3) buckets are auto-discovered and cataloged for any connected AWS accounts. Newly-created buckets can automatically be protected by CSS malware scanning through bucket tagging.
Additionally, multiple accounts can be protected from within the CSS console and CSS’s integration with AWS Control Tower streamlines the account protection process by using linked accounts to automatically connect new accounts to the CSS console.
Scanning Engines, Models, and Flow
Agencies have used Antivirus for Amazon S3 to easily baseline existing data as well as scan new data, including files as large as 5 TB in size (the maximum individual object size allowed by Amazon S3).
Sophos and Crowdstrike scanning engines are available for use within multiple scan models to identify and analyze malicious code at petabyte scale across all S3 buckets. The engines can be used independently or, for higher efficacy, together.
To achieve real-time continuous data scanning, new data can be automatically scanned when dropped into storage using the event-based scan model, on intake before it’s written, or on access when it’s retrieved. Existing data can be scanned on demand or via schedule using the Retro model. Scan types function independently of one another so they can run at the same time without affecting each other’s performance.
When a scan completes, a verdict is generated and an alert is shared via Amazon Simple Notification Service (SNS). Real-time notifications can be sent to the systems and tools that an agency already has in place.
If an object is found to be infected, it may be quarantined, deleted, or kept in place. If additional investigation of a problem file is warranted, the file can be sent to SophosLabs Intelix to undergo static and dynamic analysis.
All components deployed, created, and installed run inside of the agency’s AWS account; CSS does not host any of them. All scanning is performed close to the data inside the agency’s account; in-region, none of the objects/files are sent outside of the account, with the exception of files that are sent to SophosLabs Intelix for analysis.
Figure 2 – Sample authorization boundary for CSS malware scanning.
Agencies have initiated the solution using a private deployment, eliminating all non-AWS service public internet connections, where the components run in virtual private clouds (VPCs) and private subnets with no public IPs assigned.
VPC endpoints can be used to keep traffic contained, although the CSS console leverages three AWS services that do not have VPC endpoints today and require outbound internet access to interact with: AWS Marketplace (for procurement), Amazon Cognito (for user management), and AWS AppConfig.
The VPC with the Fargate task running the CSS console requires access to these three services, but the agents do not so you can lock the more prevalent agent VPCs down to have no outbound internet access. In order to use these services and provide for an outbound route, a Network Access Translation (NAT) Gateway or Proxy Server is required.
AWS Marketplace solutions include pay-as-you-go and bring-your-own-license (BYOL) models, each with a 30-day free trial. The agent requires only one service: AWS AppConfig. Optionally, AWS Security Hub is another service the agent can leverage.
Antivirus for Amazon S3 is self-hosted and available in AWS Marketplace with a 30-day free trial to deploy and test out the application’s functionality. Pricing is determined by the number of gigabytes scanned and on a pay-as-you-go basis. You also have the option to purchase a custom license through AWS Marketplace private offers or Cloud Storage Security directly.
To use Antivirus for Amazon S3, you’ll need to:
- Use an existing AWS account or sign up for an AWS account.
- Have Amazon S3 access.
- Have AWS Identity and Access Management (IAM) user permissions to deploy a CloudFormation stack.
- Sign up for (or already be enrolled in) a free trial of Antivirus for Amazon S3 via AWS Marketplace (if needed, learn how to subscribe).
From there, follow the How to Deploy section of the Cloud Storage Security help docs to set up and run the default deployment of Antivirus for Amazon S3 in as little as 15 minutes.
U.S. federal government agencies and contractors are required to understand whether a solution will process or store data and how it will or will not impact the compliance of the data environment. In this post, we discussed FedRAMP implications for malware scanning and introduced a solution built on and powered by AWS.
Customers install the Antivirus for Amazon S3 product into their own environment and are not required to share their data. Antivirus for Amazon S3 supports scanning AWS storage services beyond Amazon S3.
Customers can choose from a variety of scanning models, employ Sophos and Crowdstrike scanning engines and scan large files, and take advantage of the solution’s benefits:
- Real-time continuous data scanning
- Automated protection
- Easy upgrades
- Automated deployment and protection
- Centralized protection
Cloud Storage Security – AWS Partner Spotlight
Cloud Storage Security (CSS) is an AWS Public Sector Partner that prevents the spread of malware, locates sensitive data, and assesses storage environments for applications and data lakes that use AWS storage services.