DEV Community

Cover image for ๐Ÿ›ก๏ธ Zero Trust for File Uploads in S3: Protecting Amazon S3 with Trend Micro FSS
sourav chakraborty for AWS Community Builders

Posted on • Edited on

๐Ÿ›ก๏ธ Zero Trust for File Uploads in S3: Protecting Amazon S3 with Trend Micro FSS

๐Ÿ“ฅ Introduction

In todayโ€™s cloud-native world, Amazon S3 is a cornerstone for storing application uploadsโ€”images, documents, archives, and more. But with flexibility comes risk. Users might unknowingly (or intentionally) upload malicious files that can:

  • โŒ Compromise your backend systems
  • ๐Ÿ“ค Spread malware through shared downloads
  • ๐Ÿ“ฆ Bypass downstream processors

โš ๏ธ S3 doesn't scan uploaded files for malware.

Trend Micro File Storage Security (FSS) โ€” a real-time, serverless scanning solution to protect your S3 buckets from file-based threats.


๐Ÿงจ The Problem: Vulnerable File Uploads

Letโ€™s say youโ€™re running a file-sharing or content review app. Malicious users could upload:

  • ๐Ÿ“Ž Ransomware-infected ZIPs
  • ๐Ÿ“„ Trojan-embedded Word docs
  • ๐Ÿงพ JavaScript exploits hidden in PDFs

Without inspection, these files could:

  • ๐Ÿ–ฅ๏ธ Be processed by backend Lambda or EC2 services
  • ๐Ÿ”— Be shared with other users
  • ๐Ÿ“‰ Lead to data breaches or cloud compromise

๐Ÿ› ๏ธ The Solution: Trend Micro File Storage Security (FSS)

Trend Micro FSS Trend Micro FSS is a serverless, event-driven scanning solution built for AWS. It integrates directly with Amazon S3 and uses Trend Micro's advanced malware detection engine to scan files in real-time. The solution classifies scan outcomes and takes defined actions:

๐Ÿงช Scan Result โœ… Action Taken
โœ”๏ธ Clean Move to โœ… Clean Bucket
๐Ÿ›‘ Malicious Move to ๐Ÿšซ Quarantine Bucket
โ“ Scan Failed Move to โš ๏ธ Failure Bucket

Key Features at a Glance

โฌ‡๏ธ Decrease Threat Vectors with Malware Scanning: Block known harmful files using Trend Micro anti-malware signatures for viruses, Trojans, spyware, and more.

๐Ÿค File Reputation: Cross-check files against threat intelligence to determine if they are known to be malicious.

โœจ Variant Protection: Detect polymorphic or obfuscated malware using advanced pattern-matching and fragment analysis.

๐Ÿ’ช Extensive Flexibility: Scan all file types, including .BIN, .EXE, .JPEG, .MP4, .PDF, .TXT, .ZIP, and more โ€” with no size or type restriction.


๐Ÿ“Š Architecture Overview

โš™๏ธ Setup Guide (Step-by-Step)
โœ… Step 1: Deploy FSS
Subscribe via AWS Marketplace

Deploy using the CloudFormation template

๐Ÿ“‚ Step 2: Prepare S3 Buckets
uploads-bucket โ€” Original file uploads

clean-bucket โ€” For scanned, safe files

quarantine-bucket โ€” For detected malware

failure-bucket โ€” For scan failures

๐Ÿ” Step 3: Create S3 Event Trigger
json
Copy
Edit
{
"Event": "s3:ObjectCreated:*",
"LambdaFunctionArn": "arn:aws:lambda:your-function-arn"
}
๐Ÿง  Step 4: Lambda Pseudocode (Simplified)
python
Copy
Edit
def lambda_handler(event, context):
key = event['Records'][0]['s3']['object']['key']
bucket = event['Records'][0]['s3']['bucket']['name']

scan_result = scan_with_trendmicro(bucket, key)

if scan_result == "CLEAN":
    move_to("clean-bucket", key)
elif scan_result == "MALICIOUS":
    move_to("quarantine-bucket", key)
else:
    move_to("failure-bucket", key)
Enter fullscreen mode Exit fullscreen mode

๐Ÿ” Step 5: IAM Role Permissions
Ensure Lambda has access to:

s3:GetObject, PutObject, DeleteObject

Trend Micro FSS API endpoint

Destination buckets

We can also get a report of scan acviity in Trendmicro console

๐Ÿ”” Bonus Features
๐Ÿ“ฉ Send SNS/Slack alerts on malware detection

๐Ÿท๏ธ Tag files with scan_result=clean|malicious|failed

๐Ÿงฉ Connect EventBridge โ†’ Security Hub for automatic SOAR response

๐Ÿง  Best Practices
โœ… Block public access to all buckets
โœ… Apply bucket encryption (SSE-S3 or KMS)
โœ… Use lifecycle rules to auto-delete old files
โœ… Limit file size and scan timeout thresholds

๐Ÿ Final Thoughts
Trend Micro File Storage Security provides a plug-and-play solution to scan every file that hits your S3 bucket. It isolates threats, supports automation, and requires minimal maintenance.

๐Ÿ›ก๏ธ Donโ€™t let your file uploads be a backdoor into your cloud.

๐Ÿ“š Resources
๐Ÿ”— Trend Micro File Storage Security Docs

๐Ÿ“ AWS S3 Event Notifications

๐Ÿ” IAM Best Practices

Top comments (1)

Collapse
 
jsonpr profile image
Jason Kao AWS Community Builders

Sourav, I like the idea of adding security by scanning files proactively when they're uploaded to S3.

AWS offers Malware Protection for S3 (GuardDuty service, but can be enabled independently of GuardDuty). What are your thoughts on the comparison of using AWS's native GuardDuty service to scan files or Trend Micro's FSS solution?