AWS adds anti-malware and PII visibility to storage
New tools unveiled by AWS at re:Inforce 2022 add new anti-malware capabilities to AWS block storage and a way to find personally identifiable information with S3 object storage.
BOSTON -- AWS released new tools to give security analysts and storage administrators greater visibility into object storage and reinforcing block storage against malware during the hyperscaler's security-focused re:Inforce 2022 conference this week.
These capabilities for existing tools include Malware Detection for Amazon Elastic Block Storage (EBS) Volumes service for Amazon GuardDuty, and a new capability to validate sensitive data within Amazon S3 object storage within Amazon Macie. Macie, a service added to AWS in 2018, assists users in locating and protecting sensitive data in object storage.
Neither addition is a substitute for a proper ransomware security posture, but they can harden enterprise data against attacks, said Krista Macomber, a senior analyst at Evaluator Group. This is especially important as the cloud giant has begun selling its own disaster recovery services and tools.
"Hardening is a good way to put it," Macomber said. "It seems like a step forward for AWS to respond to the ransomware threat."
AWS released its own disaster recovery service, AWS Elastic Disaster Recovery, in December.
These new additions combined with disaster recovery, alongside a renewed focused on cheaper storage costs for backups and long-term storage services, are a value-add for potential customers, Macomber said. Hyperscaler backup services still have a long path of maturity ahead, however, before they're likely to be adopted by more customers.
"For hyperscalers the backup opportunity is complimentary," she said. "But there's a long tail for data protection among our [clients]. We've seen administrators build careers around certain data protection solutions; that adds to the stickiness."
Detection tools for GuardDuty
Amazon GuardDuty's new Malware Detection for EBS Volumes monitors potential malware infections and attacks from EBS workloads within EC2 instances. This new capability is automatically triggered within GuardDuty when suspicious activity is detected, such as one EC2 instance attempting a denial-of-service attack against other EC2 instances.
The service adds basic malware detection services for EC2 instances, as well as container services such as Amazon Elastic Kubernetes Service. AWS spokespeople stressed through conference presentations following the announcement that the service wasn't a replacement for other malware protection services, however.
Specific drawbacks compared with traditional service include the inability to scan and detect files upon entering user architecture, a lack of system behavior tracking and no quarantining or remediation capabilities, said Sujay Oshi, senior product manager at AWS, and Scott Ward, principal solutions architect at AWS, during a conference presentation.
While the service can support EBS, S3 object storage support won't come anytime soon, according to Kurt Kufeld, vice president of AWS Platform. S3 storage has its own unique challenges, making scanning difficult -- especially for enterprises working with exabytes of object storage, he said during a media roundtable.
"There are challenges with looking at S3," Kufeld said. "Our largest customers have a lot of S3 storage. When you're looking for threats, you really can't. I'm not so certain that would be cost-effective for customers."
Malware Detection for EBS Volumes uses snapshots of EBS volumes less than 1 TB for malware scans. This capability doesn't require additional security software or monitoring agents to affect performance, according to AWS.
Cost is determined by the amount of gigabytes scanned, currently not the size of the EBS volumes, and for the EBS snapshots while they are kept in the customer's account. All EBS snapshots created by GuardDuty are automatically deleted after they are scanned, unless snapshot retention is enabled.
Avoid parading sensitive info
Security administrators reviewing Amazon S3 object storage for sensitive information with Amazon Macie can now temporarily retrieve up to 10 specific examples of such data without manually locating the information within the data set, according to AWS.
The capability enables reviewing what data is contained within S3 object storage without manually extracting the individual items. Amazon Macie primarily looks through S3 storage that's publicly accessible, unencrypted or accessible outside a user's organization. Specific data sets sought by Macie include names, addresses or credit card numbers.
Krista MacomberSenior Analyst, Evaluator Group
Amazon Macie's sensitive data discovery feature is free for the first 1 GB per account, per region, each month, with additional scanning charges thereafter.
Tools for identifying such information are useful in the event of a ransomware attack to quickly identify what information could have been compromised and help an enterprise understand the scope of potential security concerns and fallout, Macomber said.
"When you're hit by a ransomware attack, that's very useful in helping to prioritize the recovery operations," Macomber said. "The attacks are changing all the time, and it has really elevated information security to a [executive] board-level [conversation]."
Tim McCarthy is a journalist living in the North Shore of Massachusetts. He covers cloud and data storage news.