Serverless Storage Protection

Serverless Storage Protection protects assets stored in the AWS Simple Storage Service (S3).

Serverless Storage Protection detects malware in all file types, including executables, media, documents, and more. The following detection technologies are included:

Machine Learning models to detect known and unknown threats.
VDL (Virus Definition Language) to detect specific malware samples and malware families, including viruses, trojans, spyware, and more.

After you configure Serverless Storage Protection, files stored inside a protected S3 bucket are scanned for malware. File contents don't leave your cloud environments. We support file sizes up to 2.5 TB.

Restriction

Password-protected and encrypted files can't be scanned.

Files greater than 19 GB will be scanned and incur a higher Amazon Elastic File System (EFS) service cost.

Click Serverless Storage to go to Storage Protection. You can see the following details:

The status of your S3 buckets.
The number of files your license allows you to protect.
A report on the number of files scanned during the last 90 days.

You can add or remove S3 buckets from environments. You can also add or delete environments.

Add your AWS S3 buckets

To add your S3 buckets to Sophos Cloud Optix, do as follows.

In Sophos Cloud Optix, go to Serverless Storage.
In the Protect Serverless Storage - AWS dashboard, click Configure.
In Settings, select the AWS environment you want to protect.
Select the AWS region.
Turn on Scan existing files to scan files already in the S3 bucket.

If you don't turn this on, only subsequent changes are scanned, for example adding or changing a file.
Select the buckets you want to protect.
Click Save.

An AWS CloudFormation script is generated for you.
Click Copy to copy the script.

Go to your AWS console and run the script in AWS CloudShell or AWS CLI.

Note

The role executing the script needs to have the following minimum permissions policy for the installation to be successful:

{
"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:TagResource",
                "ec2:AuthorizeSecurityGroupIngress",
                "elasticfilesystem:DeleteAccessPoint",
                "cloudwatch:DeleteAlarms",
                "ec2:AttachInternetGateway",
                "iam:PutRolePolicy",
                "ec2:DeleteRouteTable",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "cloudformation:UpdateStack",
                "events:RemoveTargets",
                "lambda:DeleteFunction",
                "ec2:DeleteInternetGateway",
                "iam:GetRole",
                "events:DescribeRule",
                "ec2:CreateTags",
                "iam:DeleteRole",
                "ecs:DeleteCluster",
                "application-autoscaling:DeleteScalingPolicy",
                "ec2:DisassociateRouteTable",
                "lambda:GetFunctionCodeSigningConfig",
                "cloudformation:DeleteStack",
                "application-autoscaling:DescribeScalingPolicies",
                "cloudwatch:DescribeAlarms",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "iam:GetRolePolicy",
                "elasticfilesystem:DeleteFileSystem",
                "ec2:DeleteNetworkAclEntry",
                "elasticfilesystem:CreateFileSystem",
                "iam:TagRole",
                "events:PutRule",
                "ec2:CreateVpc",
                "lambda:UntagResource",
                "ec2:ModifySubnetAttribute",
                "ecs:DeregisterTaskDefinition",
                "iam:PassRole",
                "s3:PutBucketTagging",
                "ec2:DescribeAvailabilityZones",
                "iam:DeleteRolePolicy",
                "elasticfilesystem:DeleteMountTarget",
                "s3:DeleteBucket",
                "elasticfilesystem:CreateAccessPoint",
                "ec2:DeleteNetworkAcl",
                "sqs:SetQueueAttributes",
                "ec2:DescribeSecurityGroups",
                "events:DeleteRule",
                "ec2:DescribeVpcs",
                "elasticfilesystem:DescribeBackupPolicy",
                "ec2:DeleteSubnet",
                "iam:CreateRole",
                "s3:CreateBucket",
                "iam:AttachRolePolicy",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "iam:DetachRolePolicy",
                "ecs:RegisterTaskDefinition",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "sqs:GetQueueUrl",
                "application-autoscaling:RegisterScalableTarget",
                "lambda:InvokeFunction",
                "ecs:CreateCluster",
                "ec2:CreateRouteTable",
                "ecs:DeleteService",
                "sqs:GetQueueAttributes",
                "ec2:DetachInternetGateway",
                "logs:TagResource",
                "logs:CreateLogGroup",
                "cloudformation:DescribeStacks",
                "ecs:DescribeClusters",
                "elasticfilesystem:CreateMountTarget",
                "sqs:DeleteQueue",
                "application-autoscaling:PutScalingPolicy",
                "ec2:DeleteVpc",
                "ecs:CreateService",
                "ec2:DescribeNetworkInterfaces",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "ec2:CreateSecurityGroup",
                "lambda:GetRuntimeManagementConfig",
                "ec2:CreateNetworkAcl",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "ecs:DescribeServices",
                "ec2:ModifyVpcAttribute",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "sqs:ListQueues",
                "logs:DeleteLogGroup",
                "application-autoscaling:DescribeScalableTargets",
                "lambda:GetFunction",
                "ec2:DeleteRoute",
                "logs:UntagResource",
                "elasticfilesystem:DescribeAccessPoints",
                "cloudwatch:PutMetricAlarm",
                "events:PutTargets",
                "sqs:ListDeadLetterSourceQueues",
                "cloudformation:CreateStack",
                "ec2:DeleteSecurityGroup",
                "sqs:CreateQueue",
                "sqs:PurgeQueue",
                "sqs:GetQueueAttributes",
                "logs:PutRetentionPolicy",
                "ec2:CreateNetworkAclEntry",
                "application-autoscaling:DeregisterScalableTarget",
                "events:ListRules",
                "events:ListTargetsByRule",
                "events:TagResource",
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetRandomPassword",
                "secretsmanager:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

After you start the script, you can go to Sophos Cloud Optix to monitor progress.

You can see your environment with Incomplete in the Setup Status field. You can click Setup Status for more details.

When the script finishes, Setup Status changes to Complete.

Your environment and buckets appear in the list.

You can click the trashcan icon to remove environments, or click the edit icon to add or remove S3 buckets.

Detections and remediation

If we find threats in your S3 buckets, they're listed with the environment name and S3 bucket they're in.

The S3 bucket name and infected file information are in Affected Resource.

You can set up automatic threat remediation for Serverless Storage Protection. This automatically deletes detected malware files or moves them to a quarantine bucket. You do this with the Sophos Cloud Optix Webhooks integration. See Automatic remediation.

If you want to delete a suspect file manually, you must delete it from the S3 bucket in AWS.

If you delete a version file, a marker is created, but in the S3 bucket the file is only marked as deleted when permanently deleted. A version file is a file in an S3 bucket that supports versions.

If you fix a threat, we still show it in the list, with a green check mark in Remediated. We remove all data, including remediated threats, from the list after 90 days. The only data we keep is for detections that still need remediation.

View files scanned this month

In Storage Protection, click Files Scanned this Month to see the summary of the files scanned in the protected S3 buckets during the current month.

Sophos Cloud Optix includes a graph that shows the number of scanned files, remediated files, and files containing malware for the following periods: Today, 1 Day Ago, 2 Days Ago, 1 Week Ago, 2 Weeks Ago, and 1 Month Ago.

Calculate cloud asset usage

Serverless Storage Protection consumes one Optix cloud asset for every 500 files scanned during a calendar month. For information on what an Optix cloud asset is, see Cloud assets.

To estimate the number of files added or changed per calendar month in the S3 buckets you protect, you can follow these steps:

Add the S3 buckets to the configuration of buckets to protect. See Add your AWS S3 buckets.
After a week, check the Serverless Storage Scanner Usage Details graph to see the number of added or changed files. See View files scanned this month.
Use the number of files scanned to calculate the expected files added or changed per calendar month.
Allocate one cloud asset for every 500 files to be added or changed during a calendar month.

For example, if approximately 10,000 files are expected to be added or changed monthly, you must allocate 10,000 / 500 = 20 Optix cloud assets.

For more information about cloud asset usage, see Cloud Asset Usage.

New customers can use a free trial license to do this. To learn more about the license options and other details, see Licensing.