Title: AWS re:Inforce 2024 - Fully managed malware and antivirus protection for Amazon S3 (TDR204-NEW)

Insights:

• Introduction and Agenda: The session covers a new malware protection feature for Amazon S3, including baseline security, handling untrusted uploads, enabling malware protection, managing identified malware, and operationalizing it across multiple accounts.
• Amazon S3 Architecture: Emphasizes four key pillars: durability, security, availability, and performance. S3 holds over 350 trillion objects and offers 99.99% availability.
• Shared Security Model: AWS is responsible for infrastructure security, while customers must use security tools and configure their data securely.
• Default Security Measures: S3 now encrypts data by default, blocks public access, and turns off access control lists for new buckets to enhance security.
• Use Cases for S3: S3 is used for data lakes, log storage, data pipelines, and applications that accept external data uploads, which may be untrusted.
• GuardDuty Malware Protection: Introduces continuous monitoring of new S3 objects for malware, applying tags, generating event notifications, and findings for downstream remediation.
• Key Benefits: Quick enablement, regularly updated malware signatures, contextual information for incident response, scalability, and reduced complexity in managing compute infrastructure.
• Operationalization: Discusses how to notify, control access, and contain malware using GuardDuty findings and EventBridge rules. Highlights the importance of integrating malware scanning into deployment processes.
• Multi-Account Environment: Explains how GuardDuty findings and scan status events are managed across delegated admin and member accounts.
• Metrics and Monitoring: CloudWatch logs provide metrics on scan counts, failed scans, and infected objects to help monitor and manage the malware protection feature.
• Limitations: The feature does not support historical scanning, malware detonation, prevention, or response. It also has a 5GB object size limit and does not support customer-provided encryption keys.

Quotes:

• "Amazon S3 is built differently. Our four key pillars are durability, security, availability, and performance."
• "S3 is secure by default. We've taken multiple steps in the last couple of years to change defaults in ways that help you remain secure in the cloud."
• "We are happy to introduce GuardDuty malware protection for S3, where now using GuardDuty, you can protect your S3 buckets from new objects that are uploaded that turn out to be malware."
• "It is a fully managed offering where the list of malware signatures, they are continuously updated, and it's powered by GuardDuty's managed threat intelligence system."
• "This relieves you from the complexity of managing the compute infrastructure where your application teams neither your application nor your security teams kind of need to manage operate and incur the additional cost of the associated compute required from malware scanning."
• "We will tag every object that GuardDuty looks at even if it is clean so every object would have a key of GuardDuty malware scan status."
• "Currently, it is not a historical scanning solution. You can't take this feature, say, take this bucket that I've been collecting data in for three years and scan it all to see if I have any malware in there."
• "It's not a malware detonation service. You can't upload malware to it and we'll detonate it and tell you everything about it that we know and what are all the domains it's communicating with and which threat actor do we think this is from."
• "It's also not a malware prevention feature. At this point, we don't orchestrate all those things to actually prevent the malware from entering your environment."
• "It's also not currently a malware response solution. We tell you that there's malware there, we tag it, we give you all the information that we have about the malware that's present, but the response to that is still you as a customer."