Skip to main content
McAfee MVISION Cloud

Near Real-Time DLP Scan and Malware Scan for AWS S3

MVISION Cloud provides Near Real-Time (NRT) DLP and Malware scan for AWS S3 buckets. This feature significantly reduces the time to find new DLP and Malware violations in S3 buckets by detecting file creation, modification, or restoration events occurring in S3 buckets in real time and evaluating MVISION Cloud's DLP and Malware policies.

NOTE: Integrate your AWS account with MVISION Cloud. For more details, see Integrate AWS and enable NRT DLP and Malware Scan for AWS S3.

This article describes how to enable Near-Real Time DLP and Malware Scan for AWS S3.

How it Works

SQS queues are created in the AWS accounts and integrated with MVISION Cloud using the CloudFormation template. The notifications are enabled on the AWS S3 buckets where the NRT DLP scan is run. If any files are added, modified, or restored on those AWS S3 buckets, then the notifications are sent to the respective SQS queues. MVISION Cloud polls SQS every minute and triggers the evaluation of NRT DLP and Malware policies. In case of any violations, incidents are generated. 

If quarantine is configured, MVISION Cloud creates an S3 bucket for incidents that require quarantine. 

How Quarantine File Works

A quarantine bucket is automatically created by MVISION Cloud when a file needs to be quarantined. This bucket is used to store quarantined content. The manual and automated remediation action supported is quarantine. The original file is replaced with a tombstone file and the original file is copied from the source bucket to the quarantined bucket. The original file is then deleted from the source bucket. 

The following flowchart describes the internal process of NRT DLP and Malware Scan for AWS S3:
clipboard_e9c13ecf1fca6debbc2a6b613f67359d0.png

NOTE:

  • If the file triggering policy is deleted manually from the S3 bucket, then the incident is not automatically resolved. Henceforth, the automated incident resolution is not supported.
  • The automated remediation action and policy incident takes less than or equal to 15 minutes.
  • Quarantine restore is supported. 
  • If versioning is enabled for the bucket, then all the historic versions are available. 
    clipboard_ec9aa693a7345bbdf3ad5cd6448d8e772.png

Prerequisites

Before you begin, make sure you provide the following minimum SQS permissions to MVISION Cloud IAM role to enable NRT DLP and Malware scan.

sqs:ListQueues
sqs:GetQueueAttributes    
sqs:ReceiveMessage
sqs:DeleteMessage 

To enable quarantine, the following additional S3 permissions are required:

s3:ListAllMyBuckets
s3:ListBucket
s3:PutObject
s3:CreateBucket
s3:DeleteObject
s3:PutBucketPolicy
s3:GetBucketLocation

Configure Quarantine for AWS S3

  1. Create a new IAM policy and grant the above SQS and S3 permissions. For example, the JSON format is exported for a suitable policy below which includes both the SQS and S3 (quarantine) permissions. 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "MVCNRTDLP",
                "Effect": "Allow",
                "Action": [
                    "sqs:DeleteMessage",
                    "s3:PutObject",
                    "s3:GetObject",
                    "sqs:ListQueues",
                    "s3:ListAllMyBuckets",
                    "sqs:ReceiveMessage",
                    "s3:PutBucketPolicy",
                    "s3:CreateBucket",
                    "sqs:GetQueueAttributes",
                    "s3:ListBucket",
                    "s3:DeleteObject",
                    "s3:GetBucketLocation"
                ],
                "Resource": "*"
            }
        ]
    }
  2. Attach this new policy to the existing Skyhigh for AWS role.
    clipboard_e0bf9203163b5460488eff1295af90277.png

Enable NRT DLP and Malware Scan for AWS S3

 To enable Near Real-Time DLP and Malware Scan in the AWS Setup page:

  1. Login to MVISION Cloud and go to Settings > Service Management.
  2. Select your AWS instance under Amazon Web Services and click Setup > Edit.
  3. You are redirected to the Summary page. Under Enabled Features, click Edit.
  4. To enable NRT DLP, select the checkbox Near Real Time.
  5. To view the prerequisite steps to set up NRT DLP, click the link NRT DLP. You are redirected to the current page, Prerequisite section.
    clipboard_e2c5321b8af8e974ad293599d4b818400.png
  6.  Download the CloudFormation Template and go to the AWS Console to run the CFT.
  7. The CFT creates SQS in your region. The naming convention for SQS is mvisioncloud-s3-event-staging-<accountID>-<region>
    clipboard_e8e36987df971cb10c3689217077f7f04.png
  8. Go to S3 buckets and enable the notifications. There are two ways to enable notifications:
  • Use the AWS console.
  • Use the python script provided in MVISION Cloud.

To enable notification in the AWS console:

  1. Select your S3 Bucket.
    clipboard_ee71ccc2e66cf80ed9a12e99265990c6a.png

  2. Choose Properties > Events and click Add notification.
    clipboard_ee63284e689024fb13ed71f3617583e60.png

  3. On the Add notification page, configure and save the following:

  • Select the checkboxes All object create events and Restore completed.
  • Select SQS Queue from the Send to menu.
  • Select the SQS name created by the CFT template from the SQS menu.
    clipboard_e20463af00badf00505d5f4c3bec6670c.png

Configure DLP and Malware Policies for NRT

  1. Go to MVISION Cloud and choose Policy > DLP Policies.
  2. You can create a new DLP policy or edit an existing one and choose Services as Amazon S3.
    clipboard_eb831e43be165a9b07deb07bf627e9367.png
  3. Click Save.
  4. You can create a new malware policy or edit an existing one. Choose Policy > Malware Policies > Choose a malware policy and you are redirected to Review and Activate Dummy Malware policy page.
  5. Under Description, click Edit and select Services as Amazon S3.
    clipboard_ebaa185704bbcfef32d77ddf02a19c1b6.png
  6. Complete the further steps, and then click Save.

 

  • Was this article helpful?