Think about customers importing attachments on to S3 to share them with different customers. Or companions importing knowledge to your S3 bucket to set off enterprise processes that obtain immediately from S3. What may go improper? A file uploaded to S3 could possibly be contaminated. Malware, like a virus or ransomware is a cyber safety risk first seen in 1971. Since then, the variety of various kinds of malware has exploded. It’s common observe to scan all recordsdata that enter (and generally go away) your safety perimeter, normally your company community, by inspecting community site visitors.
Moreover, many firms set up malware scanners on all servers and purchasers to scan all recordsdata which can be saved (and generally accessed) from disk. However within the Cloud period, recordsdata could be uploaded on to Amazon S3 bypassing your company community. You may entry S3 objects with out persisting them to disk first bypassing conventional malware scanners. We have to scan all uploads to Amazon S3 as properly! That’s what Amazon GuardDuty Malware Safety for S3 is all about.
Within the following put up, I’ll dive deep into Amazon GuardDuty Malware Safety for S3. I’ve quite a lot of expertise on this subject. In 2015, I launched an open-source mission to scan recordsdata uploaded to Amazon S3. In 2019, I co-founded bucketAV – Antivirus safety for Amazon S3. I is likely to be biased however I’ve seen quite a lot of buyer use instances, choose your self.
Scan modes
Amazon GuardDuty Malware Safety for S3 can scan recordsdata in real-time, proper after the file is uploaded. Sadly, that’s it. Every file is scanned solely as soon as. There isn’t any technique to set off a scan programmatically. It is usually not doable to scan recordsdata simply earlier than a obtain occurs.
Think about a file uploaded a yr in the past. Within the meantime, a brand new safety vulnerability is disclosed. Sadly, the dangerous guys knew concerning the vulnerability lengthy earlier than and actively used it to assault victims. Solely after the great guys uncover the vulnerability, the malware scanners can detect it. All recordsdata uploaded one yr in the past could possibly be contaminated as properly. We merely don’t know as a result of again then, the malware engine had no thought concerning the risk. That’s why nearly all malware scanners rescan all recordsdata infrequently or on entry. GuardDuty doesn’t.
- Actual-time/on-upload file scan: ✅
- Scheduled bucket scan: ❌
- On-demand bucket scan: ❌
- On-demand file scan: ❌
- On-access file scan: ❌
Mitigation
Detecting a malicious file is vital. Coping with the malicious recordsdata is essential. Amazon GuardDuty Malware Safety for S3 can tag S3 objects with the scan outcome. You should utilize this tag in S3 bucket insurance policies or IAM insurance policies to limit entry to scrub recordsdata or block entry to contaminated recordsdata. Sadly, that’s it. GuardDuty doesn’t delete contaminated recordsdata or quarantine recordsdata (transfer them to a separate S3 bucket for additional evaluation).
- Tag: ✅
- Delete: ❌
- Quarantine/Transfer: ❌
Reporting
New safety instruments are all the time nice. However somebody should cope with all of the findings, proper? Even when the mitigation is automated (like deleting contaminated recordsdata), you continue to wish to know what the instrument is doing. Due to this fact, reporting is a crucial facet. Amazon GuardDuty Malware Safety for S3 is working largely at nighttime. Should you subscribe to GuardDuty, you will note findings created for malicious recordsdata. Should you use Amazon GuardDuty Malware Safety for S3 in standalone mode, the scan outcomes should not saved. You get some high-level CloudWatch metrics and that’s it. No dashboard, no notifications, no experiences.
- Reviews: ❌
- Notifications (electronic mail): ❌
- Notifications (Slack): ❌
- Notifications (Microsoft Groups): ❌
- Dashboard: ❌
- AWS Safety Hub discovering integration: ⚠️ (provided that you subscribe to GuardDuty)
- AWS Methods Supervisor OpsCenter merchandise integration: ❌
- Amazon GuardDuty discovering integration: ⚠️ (provided that you subscribe to GuardDuty)
Developer
AWS is like Lego bricks. You set many bricks collectively to construct nice issues. Amazon GuardDuty Malware Safety for S3 publishes occasions like scan outcomes to EventBridge. EventBridge guidelines can set off different AWS companies. For instance, to implement your quarantine logic, you possibly can set off a Lambda operate if a file is contaminated. Remember the fact that transferring recordsdata in S3 just isn’t straightforward. You first copy the file after which delete it. However you can’t copy a file that’s bigger than 5 GB. You must copy it in elements which may take quite a lot of time so that you higher use Step Capabilities to orchestrate it to keep away from Lambda timeouts.
- Amazon EventBridge integration: ✅
- Amazon SNS integration: ❌
- Amazon CloudWatch metrics integration: ✅
- AWS API to scan recordsdata: ❌
Pricing mannequin
I’ll use three instance workloads to reveal the pricing mannequin utilizing us-east-1 costs.
- Tiny (90 GB/month): $57.68
- Small (3 TB / month): $1,991.07
- Bigger (15 TB / month): $12,696.81
Within the following, I current detailed value estimations of all examples. I finish with an in depth comparability of the pricing fashions.
Tiny workload
The client scans 300 recordsdata per day with a median file dimension of 10 MB. This ends in 9,000 recordsdata and 90 GB per 30 days. Objects are tagged with scan outcomes. AWS area is us-east-1.
| Amazon GuardDuty Malware Safety for S3 | |
|---|---|
| Scanning | GB: $54.00 recordsdata: $1.94 $55.94 |
| Infrastructure | S3: $0.05 EventBridge: $0.01 GuardDuty: optionally available, AWS utilization dependent $0.06 |
| Help | Not less than $1.68 |
| Whole | $57.68 |
Small workload
The client scans 20,000 recordsdata per day with a median file dimension of 5 MB. This ends in 600,000 recordsdata and three,000 GB per 30 days. Objects are tagged with scan outcomes. AWS area is us-east-1.
| Amazon GuardDuty Malware Safety for S3 | |
|---|---|
| Scanning | GB: $1,800.00 recordsdata: $129.00 $1,929.00 |
| Infrastructure | S3: $3.48 EventBridge: $0.60 GuardDuty: optionally available, AWS utilization dependent $4.08 |
| Help | Not less than $57.99 |
| Whole | $1,991.07 |
Bigger workload
The client scans 500,000 recordsdata per day with a median file dimension of 1 MB. This ends in 15,000,000 recordsdata and 15,000 GB per 30 days. Objects are tagged with scan outcomes. AWS area is us-east-1.
| Amazon GuardDuty Malware Safety for S3 | |
|---|---|
| Scanning | GB: $9,000.00 recordsdata: $3,225.00 $12,225.00 |
| Infrastructure | S3: $87.00 EventBridge: $15.00 GuardDuty: optionally available, AWS utilization dependent $102.00 |
| Help | Not less than $369.81 |
| Whole | $12696.81 |
Detailed pricing mannequin comparability
The next desk reveals the assorted points of the pricing fashions utilizing us-east-1 costs.
| Amazon GuardDuty Malware Safety for S3 | |
|---|---|
| Scanning | $0.60 per GB $0.215 per 1,000 objects |
| Infrastructure | S3, EventBridge, optionally available GuardDuty |
| Help | Developer: $29 or 3% of month-to-month AWS fees Enterprise: $100 per 30 days or 3-10% of month-to-month AWS fees Enterprise: $15,000 per 30 days or 3-7% of month-to-month AWS fees |
Limitations
Final however not least, we dive into the technical limitations of Amazon GuardDuty Malware Safety for S3:
- Most S3 object dimension: 5 GB
- Most extracted archive dimension: 5 GB
- Most variety of recordsdata in an archive: 1,000
- Most archive depth stage: 5 (archive inside archive inside archive…)
Service Maturity Desk
Every service evaluation ends with the service maturity desk.
| Standards | Abstract | Rating |
|---|---|---|
| Characteristic Completeness | 🚨 | 2 |
| Documentation detailedness | ✅ | 8 |
| Tags (Grouping + Billing) | ✅️ | 10 |
| CloudFormation + Terraform assist | ✅️️ | 10 |
| Emits CloudWatch Occasions | ✅️️ | 10 |
| IAM granularity | ✅️️ | 8 |
| Built-in with AWS Config | ⚠️ | 0 |
| Auditing by way of AWS CloudTrail | ✅ | 10 |
| Out there in all business areas | ✅ | 10 |
| SLA | ✅ | 10 |
| Compliance (ISO, SOC HIPAA) | ✅ | 10 |
| Whole Maturity Rating (0-10) | ✅ | 8.0 |
Our maturity rating for Amazon GuardDuty Malware Safety for S3 is 8.0 on a scale from 0 to 10. Amazon GuardDuty Malware Safety for S3 advantages from being a part of the GuardDuty service which could be very mature. Once we have a look at Characteristic Completeness in isolation, the image seems to be much less rosy. If you’re considering how bucketAV compares with Amazon GuardDuty Malware Safety for S3 I’ve you lined.
