rights reserved. Agenda → Event-driven applications everywhere → How do we detect threats? → How do we response threats? → Serverless and automated approach for the action → What happens after object quarantine? → Why this architecture works?
rights reserved. Event-driven applications everywhere Millions of objects uploaded to Amazon S3… every single day. photo.png document.pdf file.zip notes.txt
rights reserved. Amazon S3: Secure by default → Automatically enabling S3 Block Public Access → Disabling S3 access control lists for all new S3 buckets → Encryption new objects by default (SSE-S3)
rights reserved. How do we detect threats? Amazon GuardDuty Malware Protection for Amazon S3 → NO_THREATS_FOUND – No threat found. → THREATS_FOUND – Potential threat. → UNSUPPORTED – Cannot scan because of size. → ACCESS_DENIED – Check permissions. → FAILED – Could not scan the object.
rights reserved. What happens after object quarantine? → Send an alert via Amazon SNS. → Write detailed data to Amazon DynamoDB. → Use AWS Systems Manager Incident Manager. AWS Systems Manager Amazon DynamoDB Amazon Simple Notification Service (Amazon SNS)