How to scan and encrypt objects in S3 buckets Product Manager, File Storage Security

With the accelerated shift to the cloud, companies are tasked with securing troves of data to maintain compliance, reputation, and meet business needs. It is up to developers to build the necessary cloud applications that can process and store various file types and sizes.  
 
Since many applications integrate AWS S3 into their architectures for file record requirements, organizations are concerned that the files uploaded could contain malicious content and disrupt downstream workflows and business process throughout the organization.  
 
Part of ensuring these applications can properly secure data and reduce the risk of it being stolen is by making sure that objects in Amazon Simple Storage Service (Amazon S3) buckets are encrypted. That way, even if the cybercriminal collects the data, they won’t be able to do anything malicious with it. Think of it like someone stealing a safe that has been secured by a designated lock key, without taking the key that is specifically meant to unlock it. Yes, it sucks that the safe was stolen, but without the key needed to unlock the safe, at least they can’t access any of the high-value information.  

So, how can you go about integrating proper file storage security into your applications to meet business needs? Trend Micro Cloud One™ – File Storage Security now supports Server Side Encryption (SSE) in the Amazon Web Services (AWS) Key Management System (KMS). This allows you to use all the benefits of File Storage Security malware detection, with AWS-managed keys for safe encryption of your Amazon S3 objects.
 
9 Ways AWS S3 File Storage Security Helps DevOps Teams
You know you need security to not only improve the quality of your applications but make your entire organization happy. With File Storage Security, you can appease everyone, from CISOs to SecOps, to Cloud Engineers, while building with maximize confidence. That’s the dream, right?  

Here’s a breakdown of features that will make your life easier: 
 

• Simple deployment as an AWS CloudFormation template 
• Includes AWS Lambda functions as part of its event-driven architecture 
• Seamless integration into your cloud-native infrastructure 
• Customization of the service that fits into your CI/CD pipeline 
• Customizable post-scan actions to alert upstream or downstream users across your workflows
• Automated scanning and remediation of malicious files at source in near real time  
• Keeps your files and data within your AWS account for optimum compliance
• Ability to quarantine risky files within another location in the account that is away from your application 
• Part of the Trend Micro Cloud One™ platform. See why platform security solutions are ideal for developers  

How File Storage Security Works with S3 Buckets
In this demo, we will be using the free trial of Trend Micro Cloud One – File Storage Security. File Storage Security helps ensure your Amazon® Simple Storage Service (Amazon S3) buckets are free from malware by deploying cloud-native security that can be integrated into your custom Amazon S3 workflows.

Once you’ve created your free trial account, you’ll see the Trend Micro Cloud One™ dashboard with several solutions.  File Storage Solution is one of seven solutions that make up Trend Micro Cloud One, a SaaS-based security services platform that simplifies your security strategy with enhanced cloud security across your entire infrastructure.  
 
 
To enable SSE encryption, follow these steps: 
 

1. Go to your File Storage Security console and select Deploy.  
2. Select Scanner Stack and Storage Stack to deploy the all-in-one stack 
3. In the Deploy Scanner Stack and Storage Stack dialog make sure you’re signed into your AWS account and select the region that matches the region of your Amazon Simple Storage Services (Amazon S3) bucket (double check it is supported by File Storage Security here). You can select Review Stack to view before launching it. Once you’re ready, select Launch Stack. 
4. Now you’re in the AWS Quick create stack page. Fill it out like this:
   1. Stack name
   2. S3BucketToScan
   3. KMSKeyARNForBucketSSEE—enter the ARN of the KMS master key used to encrypt the Amazon S3 bucket objects  
   4. There are some other optional boxes, but the above is most important. Leave everything else as is, and then click Create stack.
5. Wait while the stacks are installed. This could take several minutes, but you’ll be notified by three CREATE_COMPLETE messages when installation is complete for the File Storage Security stacks.  

Now you’re well on your way to improved data storage security via SSE-KMS encryption and File Storage Security. See how to go all the way and generate your own scan here.