Skip to content

Serverless Storage protection

Serverless Storage protection protects assets stored in the AWS Simple Storage Service (S3).

Serverless Storage protection detects malware in all file types, including executables, media, documents, and more. The following detection technologies are included:

  • Machine Learning models to detect known and unknown threats.

  • VDL (Virus Definition Language) to detect specific malware samples and malware families, including viruses, trojans, spyware, and more.

After configuring Serverless Storage protection, files stored inside a protected S3 bucket are scanned for malware. File contents don't leave your cloud environments. We support file sizes up to 2.5 TB.

Restriction

Password-protected and encrypted files can't be scanned.

Files greater than 19 GB will be scanned and incur a higher Amazon Elastic File System (EFS) service cost.

Click Serverless Protection to go to Storage Protection. You can see the following:

  • The status of your S3 buckets.
  • The number of files your license allows you to protect.
  • A report on the number of files scanned during the last 90 days.

You can add or remove S3 buckets from environments. You can also add or delete environments.

Add your AWS S3 buckets

To add your S3 buckets to Sophos Cloud Optix, do as follows.

  1. In Sophos Cloud Optix, go to Serverless Storage.
  2. In the Protect Serverless Storage - AWS dashboard, click Configure.
  3. In Settings, select the AWS environment you want to protect.
  4. Select the AWS region.

  5. Turn on Scan existing files to scan files already in the S3 bucket.

    If you don't turn this on, only subsequent changes are scanned, for example adding or changing a file.

  6. Select the buckets you want to protect.

  7. Click Save.

    An AWS CloudFormation script is generated for you.

  8. Click COPY to copy the script.

  9. Go to your AWS console and run the script in AWS CloudShell or AWS CLI.

    Note

    The role executing the script needs to have the following minimum permissions policy for the installation to be successful:

    {
"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:TagResource",
                "ec2:AuthorizeSecurityGroupIngress",
                "elasticfilesystem:DeleteAccessPoint",
                "cloudwatch:DeleteAlarms",
                "ec2:AttachInternetGateway",
                "iam:PutRolePolicy",
                "ec2:DeleteRouteTable",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "cloudformation:UpdateStack",
                "events:RemoveTargets",
                "lambda:DeleteFunction",
                "ec2:DeleteInternetGateway",
                "iam:GetRole",
                "events:DescribeRule",
                "ec2:CreateTags",
                "iam:DeleteRole",
                "ecs:DeleteCluster",
                "application-autoscaling:DeleteScalingPolicy",
                "ec2:DisassociateRouteTable",
                "lambda:GetFunctionCodeSigningConfig",
                "cloudformation:DeleteStack",
                "application-autoscaling:DescribeScalingPolicies",
                "cloudwatch:DescribeAlarms",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "iam:GetRolePolicy",
                "elasticfilesystem:DeleteFileSystem",
                "ec2:DeleteNetworkAclEntry",
                "elasticfilesystem:CreateFileSystem",
                "iam:TagRole",
                "events:PutRule",
                "ec2:CreateVpc",
                "lambda:UntagResource",
                "ec2:ModifySubnetAttribute",
                "ecs:DeregisterTaskDefinition",
                "iam:PassRole",
                "s3:PutBucketTagging",
                "ec2:DescribeAvailabilityZones",
                "iam:DeleteRolePolicy",
                "elasticfilesystem:DeleteMountTarget",
                "s3:DeleteBucket",
                "elasticfilesystem:CreateAccessPoint",
                "ec2:DeleteNetworkAcl",
                "sqs:SetQueueAttributes",
                "ec2:DescribeSecurityGroups",
                "events:DeleteRule",
                "ec2:DescribeVpcs",
                "elasticfilesystem:DescribeBackupPolicy",
                "ec2:DeleteSubnet",
                "iam:CreateRole",
                "s3:CreateBucket",
                "iam:AttachRolePolicy",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "iam:DetachRolePolicy",
                "ecs:RegisterTaskDefinition",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "sqs:GetQueueUrl",
                "application-autoscaling:RegisterScalableTarget",
                "lambda:InvokeFunction",
                "ecs:CreateCluster",
                "ec2:CreateRouteTable",
                "ecs:DeleteService",
                "sqs:GetQueueAttributes",
                "ec2:DetachInternetGateway",
                "logs:TagResource",
                "logs:CreateLogGroup",
                "cloudformation:DescribeStacks",
                "ecs:DescribeClusters",
                "elasticfilesystem:CreateMountTarget",
                "sqs:DeleteQueue",
                "application-autoscaling:PutScalingPolicy",
                "ec2:DeleteVpc",
                "ecs:CreateService",
                "ec2:DescribeNetworkInterfaces",
                "elasticfilesystem:DescribeLifecycleConfiguration",
                "ec2:CreateSecurityGroup",
                "lambda:GetRuntimeManagementConfig",
                "ec2:CreateNetworkAcl",
                "elasticfilesystem:DescribeFileSystemPolicy",
                "ecs:DescribeServices",
                "ec2:ModifyVpcAttribute",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "sqs:ListQueues",
                "logs:DeleteLogGroup",
                "application-autoscaling:DescribeScalableTargets",
                "lambda:GetFunction",
                "ec2:DeleteRoute",
                "logs:UntagResource",
                "elasticfilesystem:DescribeAccessPoints",
                "cloudwatch:PutMetricAlarm",
                "events:PutTargets",
                "sqs:ListDeadLetterSourceQueues",
                "cloudformation:CreateStack",
                "ec2:DeleteSecurityGroup",
                "sqs:CreateQueue",
                "sqs:PurgeQueue",
                "sqs:GetQueueAttributes",
                "logs:PutRetentionPolicy",
                "ec2:CreateNetworkAclEntry",
                "application-autoscaling:DeregisterScalableTarget",
                "events:ListRules",
                "events:ListTargetsByRule",
                "events:TagResource",
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:DeleteSecret",
                "secretsmanager:GetRandomPassword",
                "secretsmanager:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

    After you start the script, you can go to Sophos Cloud Optix to monitor progress.

    You can see your environment with Incomplete in the Setup Status field. You can click Setup Status for more details.

    When the script finishes, Setup Status changes to Complete.

Your environment and buckets appear in the list.

You can click the trashcan icon to remove environments, or click the edit icon to add or remove S3 buckets.

Detections and remediation

If we find threats in your S3 buckets, they're listed with the environment name and S3 bucket they're in.

The S3 bucket name and infected file information are in Affected Resource.

You can set up automatic threat remediation for Serverless Storage protection. This automatically deletes detected malware files or moves them to a quarantine bucket. You do this with the Sophos Cloud Optix Webhooks integration. See Automatic remediation.

If you want to delete a suspect file manually, you must delete it from the S3 bucket in AWS.

If you delete a version file, a marker is created, but in the S3 bucket the file is only marked as deleted when permanently deleted. A version file is a file in an S3 bucket that supports versions.

If you fix a threat, we still show it in the list, with a green check mark in Remediated. We remove all data, including remediated threats, from the list after 90 days. The only data we keep is for detections that still need remediation.