Upgrade to Pro — share decks privately, control downloads, hide ads and more …

re:Inforce 2025 - Serverless Threat Response fo...

Avatar for Sena Yakut Sena Yakut
June 21, 2025
31

re:Inforce 2025 - Serverless Threat Response for Amazon S3 Malware Detection

Avatar for Sena Yakut

Sena Yakut

June 21, 2025
Tweet

Transcript

  1. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. © 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Threat Response for Amazon S3 Malware Detection Sena Yakut C O M 2 2 2 (she/her) Cloud Security Architect CyberWhiz
  2. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Agenda → Event-driven applications everywhere → How do we detect threats? → How do we response threats? → Serverless and automated approach for the action → What happens after object quarantine? → Why this architecture works?
  3. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Event-driven applications everywhere Millions of objects uploaded to Amazon S3… every single day. photo.png document.pdf file.zip notes.txt
  4. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Event-driven applications everywhere What if just one of those files… is malicious? photo.png document.pdf file.zip notes.txt
  5. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Amazon S3: Secure by default → Automatically enabling S3 Block Public Access → Disabling S3 access control lists for all new S3 buckets → Encryption new objects by default (SSE-S3)
  6. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How do we detect these threats?
  7. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How do we detect threats? Amazon GuardDuty Malware Protection for Amazon S3
  8. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How do we detect threats? Amazon GuardDuty Malware Protection for Amazon S3 → NO_THREATS_FOUND – No threat found. → THREATS_FOUND – Potential threat. → UNSUPPORTED – Cannot scan because of size. → ACCESS_DENIED – Check permissions. → FAILED – Could not scan the object.
  9. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. How do we response threats? example-bucket Detect Take Action quarantine-bucket Investigate
  10. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless and automated approach for the action Amazon GuardDuty protected bucket Amazon EventBridge Rule AWS Step Functions
  11. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless and automated approach for the action →Automated →Scalable →Silent
  12. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What happens after object quarantine? → Send an alert via Amazon SNS. → Write detailed data to Amazon DynamoDB. → Use AWS Systems Manager Incident Manager. AWS Systems Manager Amazon DynamoDB Amazon Simple Notification Service (Amazon SNS)
  13. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Why this architecture works? Serverless Invisible Event-driven Scalable Extendable
  14. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Detection is good. Automated response is better. Invisible, serverless protection? That’s how you win.
  15. © 2025, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Thank you! Thank you! Please complete the session survey in the mobile app Sena Yakut @sena_yakutt linkedin.com/in/sena-yakut