Skip to main content
Skyhigh Security

Near Real-Time DLP Scan and Malware Scan for AWS

Skyhigh CASB provides Near Real-Time (NRT) DLP and Malware scan for AWS S3 buckets. This feature significantly reduces the time to find new DLP and Malware violations in S3 buckets by detecting file creation, modification, or restoration events occurring in S3 buckets in real time and evaluating Skyhigh CASB's DLP and Malware policies.

NOTE: Integrate your AWS account with Skyhigh CASB. For more details, see Integrate AWS and enable NRT DLP and Malware Scan for AWS S3.

This article describes how to enable Near-Real Time DLP and Malware Scan for AWS S3.

How it Works

SQS queues are created in the AWS accounts and integrated with Skyhigh CASB using the CloudFormation template. The notifications are enabled on the AWS S3 buckets where the NRT DLP scan is run. If any files are added, modified, or restored on those AWS S3 buckets, then the notifications are sent to the respective SQS queues. Skyhigh CASB polls SQS every minute and triggers the evaluation of NRT DLP and Malware policies. In case of any violations, incidents are generated. 

If quarantine is configured, Skyhigh CASB creates an S3 bucket for incidents that require quarantine. 

How Quarantine File Works

A quarantine bucket is automatically created by Skyhigh CASB when a file needs to be quarantined. This bucket is used to store quarantined content. The manual and automated remediation action supported is quarantine. The original file is replaced with a tombstone file and the original file is copied from the source bucket to the quarantined bucket. The original file is then deleted from the source bucket. 

The following flowchart describes the internal process of NRT DLP and Malware Scan for AWS S3:
clipboard_e9c13ecf1fca6debbc2a6b613f67359d0.png

NOTE:

  • If the file triggering policy is deleted manually from the S3 bucket, then the incident is not automatically resolved. Henceforth, the automated incident resolution is not supported.
  • The automated remediation action and policy incident takes less than or equal to 15 minutes.
  • Quarantine restore is supported. 
  • If versioning is enabled for the bucket, then all the historic versions are available. 
    clipboard_ec9aa693a7345bbdf3ad5cd6448d8e772.png 

KNOWN ISSUE: When the Quarantine S3 bucket is not accessible to the root user, then perform the following steps:

UI Validation on AWS Console

  1. Log in to the AWS console as a root user using the AWS root account.
  2. Go to the S3 Service page.
  3. Filter for the quarantine bucket. For example, “quarantine-mcafee-94581868531711"
  4. Check the Access Column to make sure you do not see any errors and are able to browse all the S3 bucket content.

API Validation via Command Line Interface (AWS - cli)

  1. Generate Access Key and Secret Key for the AWS S3 root accounts.
  2. Set your AWS profile to use root accounts. 
  3. Run aws s3 listObject command on buckets. Start with the quarantine buckets. For example, quarantine-mcafee-94581868531711 is your quarantine bucket. For more information on listobject command, see List Objects.
  4. Share the output of each of the buckets.

Prerequisites

Before you begin, make sure you provide the following minimum SQS permissions to Skyhigh CASB IAM role to enable NRT DLP and Malware scan.

sqs:ListQueues
sqs:GetQueueAttributes    
sqs:ReceiveMessage
sqs:DeleteMessage 
s3:GetBucketNotification

To enable quarantine, the following additional S3 permissions are required:

s3:ListAllMyBuckets
s3:ListBucket
s3:PutObject
s3:CreateBucket
s3:DeleteObject
s3:PutBucketPolicy
s3:GetBucketLocation

Configure Quarantine for AWS S3

  1. Create a new IAM policy and grant the above SQS and S3 permissions. For example, the JSON format is exported for a suitable policy below which includes both the SQS and S3 (quarantine) permissions. 
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "MVCNRTDLP",
                "Effect": "Allow",
                "Action": [
                    "sqs:DeleteMessage",
                    "s3:PutObject",
                    "s3:GetObject",
                    "sqs:ListQueues",
                    "s3:ListAllMyBuckets",
                    "sqs:ReceiveMessage",
                    "s3:PutBucketPolicy",
                    "s3:CreateBucket",
                    "sqs:GetQueueAttributes",
                    "s3:ListBucket",
                    "s3:DeleteObject",
                    "s3:GetBucketLocation",
                    "s3:GetBucketNotification"
                ],
                "Resource": "*"
            }
        ]
    }
  2. Attach this new policy to the existing Skyhigh for AWS role.
    clipboard_e0bf9203163b5460488eff1295af90277.png

Enable NRT DLP and Malware Scan for AWS S3

 To enable Near Real-Time DLP and Malware Scan in the AWS Setup page:

  1. Login to Skyhigh CASB and go to Settings > Service Management.
  2. Select your AWS instance under Amazon Web Services and click Setup > Edit.
  3. You are redirected to the Summary page. Under Enabled Features, click Edit.
  4. To enable NRT DLP, select the checkbox Near Real Time.
  5. To view the prerequisite steps to set up NRT DLP, click the link NRT DLP. You are redirected to the current page, Prerequisite section.
    clipboard_e2c5321b8af8e974ad293599d4b818400.png
  6.  Download the CloudFormation Template and go to the AWS Console to run the CFT.
  7. The CFT creates SQS in your region. The naming convention for SQS is mvisioncloud-s3-event-staging-<accountID>-<region>
    clipboard_e8e36987df971cb10c3689217077f7f04.png
  8. Go to S3 buckets and enable the notifications. There are two ways to enable notifications:
  • Use the AWS console.
  • Use the python script provided in Skyhigh CASB.

To enable notification in the AWS console:

  1. Select your S3 Bucket.
    clipboard_ee71ccc2e66cf80ed9a12e99265990c6a.png

  2. Choose Properties > Events and click Add notification.
    clipboard_ee63284e689024fb13ed71f3617583e60.png

  3. On the Add notification page, configure and save the following:

  • Select the checkboxes All object create events and Restore completed.
  • Select SQS Queue from the Send to menu.
  • Select the SQS name created by the CFT template from the SQS menu.
    clipboard_e20463af00badf00505d5f4c3bec6670c.png

Configure DLP and Malware Policies for NRT

  1. Go to Skyhigh CASB and choose Policy > DLP Policies.
  2. You can create a new DLP policy or edit an existing one and choose Services as Amazon S3. For complete details, see Create or Edit a Sanctioned DLP Policy
  3. Review your policy and Save.
  4. You can create a new malware policy or edit an existing one. Choose Policy > Malware Policies
  5. Click Actions > Create a Malware Policy.
  6. For Services select Amazon S3.
  7. Complete the further steps, and then save your policy. For complete details, see Create a Malware Policy

 

  • Was this article helpful?