re:Inforce 2025 - Serverless Threat Response for Amazon S3 Malware Detection

Transcript

1. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

2. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Threat Response for Amazon S3 Malware Detection Sena Yakut C O M 2 2 2 (she/her) Cloud Security Architect CyberWhiz

3. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Agenda → Event-driven applications everywhere → How do we detect threats? → How do we response threats? → Serverless and automated approach for the action → What happens after object quarantine? → Why this architecture works?

4. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Event-driven applications everywhere Millions of objects uploaded to Amazon S3… every single day. photo.png document.pdf file.zip notes.txt

5. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Event-driven applications everywhere What if just one of those files… is malicious? photo.png document.pdf file.zip notes.txt

6. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Amazon S3: Secure by default → Automatically enabling S3 Block Public Access → Disabling S3 access control lists for all new S3 buckets → Encryption new objects by default (SSE-S3)

7. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. How do we detect these threats?

8. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. How do we detect threats? Amazon GuardDuty Malware Protection for Amazon S3

9. © 2025, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. How do we detect threats? Amazon GuardDuty Malware Protection for Amazon S3 → NO_THREATS_FOUND – No threat found. → THREATS_FOUND – Potential threat. → UNSUPPORTED – Cannot scan because of size. → ACCESS_DENIED – Check permissions. → FAILED – Could not scan the object.

10. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How do we response threats? example-bucket Detect Take Action quarantine-bucket Investigate

11. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless and automated approach for the action Amazon GuardDuty protected bucket Amazon EventBridge Rule AWS Step Functions

12. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless and automated approach for the action →Automated →Scalable →Silent

13. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What happens after object quarantine? → Send an alert via Amazon SNS. → Write detailed data to Amazon DynamoDB. → Use AWS Systems Manager Incident Manager. AWS Systems Manager Amazon DynamoDB Amazon Simple Notification Service (Amazon SNS)

14. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Why this architecture works? Serverless Invisible Event-driven Scalable Extendable

15. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Detection is good. Automated response is better. Invisible, serverless protection? That’s how you win.

16. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you! Thank you! Please complete the session survey in the mobile app Sena Yakut @sena_yakutt linkedin.com/in/sena-yakut