There are hundreds of Amazon Web Services (AWS) that make it easier to deploy infrastructure and workflows. Services such as Amazon EC2, AWS Elastic Beanstalk, and AWS Lambda help set up environments for websites, databases, and virtual machines, as well as scale part of an application quickly and easily.
All these services are useful, but with new services continually developed, it is challenging to keep up with how each one may affect the security posture of your applications and development processes. You must ensure your services and processes are secure and able to support exceptions.
Though it can be difficult to determine which set of services is most appropriate for your needs, file-based services are almost always required. File sharing is essential to many industries yet poses a significant risk if handled insecurely.
This article explores how to secure infrastructure and automate file scanning to protect your environments.
File Storage and Security Vulnerabilities
The ingestion and storage of files is critical for many processes and services. Digital files are transmitted for a wide range of reasons such as financial contracts, health care documents, insurance claim images, media file transfers, and resumes.
Developers increasingly rely on cloud storage for data to support the scalability and agility of serverless architecture. While cloud vendors are responsible for the security of the cloud and the underlying infrastructure, security in the cloud—user and configuration management, as well as data security—falls to the customer.
File Scanning Tips
Scanning files and quarantining anything suspect are essential steps that keep your systems safe. Most of the time, especially with asynchronous and microservice-based systems, teams can automate these steps without affecting users or process performance. However, a crucial part of successful file security is supporting backend scanning with frontend remediation steps. This requires automation processes to deal with quarantined files to determine the threat, mitigation, and any workflows that need to be enacted.
Many times this is done with large files and code scanning but overlook file storage and the Amazon Simple Storage Service (Amazon S3) infrastructure that supports applications and the files that traverse it. There could be millions of files that pass through a system, all the while posing a risk to your environment.
Small files may seem inconsequential, but as cloud-native application architectures incorporate cloud file/object storage services into their workflow, they create a new attack vector that is vulnerable to malicious files. Storing data in Amazon S3 buckets is great for flexibility and can scale to meet the needs of application developers and IT requirements. However, as the number of Amazon S3 buckets increases and more applications look to store new forms of data, it can be harder to track the data and who has access to it.
Cloud Storage Pitfalls
In particular, misconfiguration of cloud storage buckets can have serious consequences. While AWS has designed Amazon S3 servers to be private by default, it is not uncommon for Amazon S3 users to accidentally misconfigure buckets, making them publicly accessible via the internet. A misconfigured cloud storage bucket or a lack of password could grant access to production logs, descriptions of server architecture and passwords, and login credentials. Database breaches of public services such as hotels or banks could, for example, expose the personal details of clients, including bank details, full names, and national ID numbers. This data could be used to commit identity fraud or execute phishing attacks.
Attacks on cloud security are increasing. While human error can open backdoors for bad actors, vulnerabilities are incredibly lucrative for cybercriminals. There are instances where threat actors use software to automatically scan for buckets with misconfigured permissions, which allow anyone to view and edit the files within. There are also occasions where cybercriminals upload infected files, which makes users who access these files spread their malware.
Designing Strong Security Solutions
Fortunately, there are effective strategies for mitigating such risks. By default, all Amazon S3 buckets are private and can be accessed only by users that are explicitly granted access. When using AWS, it’s best to restrict access to your resources to the people who absolutely need it. Follow the principle of least privilege by only giving users the minimum level of access required to perform their tasks. Bucket policies and permissions, or identity and access (IAM) policies, can be set to limit access to select people, requiring multi-factor authentication (MFA) and using a specific IP or virtual private cloud (VPC). This means administrators can block public access to prevent those with permissions from opening a bucket to the public, regardless of the Amazon S3 bucket policy.
The ability to monitor, review, and revise the security of stored files continuously is critical for successful file storage security. You need a clear inventory of what files and objects exist (including legacy files), in what format, and the permissions and access rights. There are many software options that can facilitate this process. However, the process needs to not only to flag and quarantine files—but also support the teams that monitor and check events. Automating and continuing downstream processes when files are quarantined ensures your workflow is uninterrupted.
To successfully combat security breaches stemming from the files landing in your cloud storage, it is necessary to design and assign tasks to ensure that remediation happens swiftly. This includes deploying tasks in a certain time frame for specific people or teams to check the quarantined files and follow up on the affected process. For example, you may decide that only specific admins can manage files that were quarantined as malware. Proper guardrails on specific processes prevent transactions from ending abruptly so you are not disrupted in the event of a single file error. Event-driven functions can pick up the process and route messages based on who should have received the file and who sent it.
Introducing File Storage Security
File Storage Security is a serverless solution based on AWS Lambda architecture. It can help you quickly and easily implement scanning and remediation processes for your cloud storage. Scanning for all kinds of malware, including viruses, trojans, spyware, and more, is triggered when files, like PDFs, ZIP files, and MP3s, are uploaded to Amazon S3 buckets. You can scan files within your current Amazon S3 bucket or move them to a temporary bucket to scan.
After scanning, this service posts results to an Amazon Simple Notification Service (SNS) topic where you can configure actions and build remediation and notification workflows. This could be as simple as moving the object to a holding bucket for malicious files, deleting the file, and creating a notification action that informs the sender and receiver of the issue.
Alternatively, you can use the API to build a process to surface the results in a variety of ways, including directly notifying internal resources of a potential issue. You can configure specific reactions to certain threats, determining when to restore before remediation, and when to remove remediated threats.
Over the last decade, we’ve seen the value of cloud computing soundly validated. Developers benefit from the advantages of using on-demand, scalable cloud models as cloud adoption grows. But like any digital effort, cloud computing security needs to be rigorously and continuously monitored, reviewed, and revisited as new vulnerabilities occur. Ensuring your systems can handle malicious files requires more than just “scan and forget.” By making sure remediation steps are in place, you enable your processes to run without user interruption.
Trend Micro makes it easy to improve your file infrastructure security. Get started today with a free trial of File Storage Security and other solutions within the Trend Micro Cloud One™ platform. It’s as easy as logging into your cloud account—just follow these simple step-by-step instructions.