Elastio offers advanced ransomware protection for your Amazon S3 buckets, ensuring your data is secure and resilient against ransomware, malware, and other threats. This section provides guidance on creating protection policies, optimizing scans for large buckets, and ensuring compatibility with supported storage classes. By implementing these features, you can maintain the integrity and availability of your critical S3 data.
It is designed to be affordable and cost-effective, offering unlimited inspections per month. License fees are based on storage/GB protected rather than the number of inspections.
S3 Protection Options
- Ransomware Detection
- Malware Scanning
- Insider Threat Detection
S3 Scan Types
-
Base plus Incremental Forever Scans
Provides comprehensive ransomware protection for your Amazon S3 buckets using a base-plus-incremental forever scanning approach. Event-Based Incremental Forever Scan
Optimized for protecting large Amazon S3 buckets by tracking S3 object modifications as they occur and scanning them.
Base plus Incremental Forever Scans
This architecture provides comprehensive protection for your Amazon S3 buckets using a base-plus-incremental forever scanning approach. This method ensures that all existing data is thoroughly scanned initially, followed by incremental scans focusing only on newly added or modified objects.
-
Access Policies Menu
Select “Policies” from the menu and press the “+New Policy” button.
-
Define Policy Details
Enter the Policy Name, select the frequency, Protection Window start time, and Time Zone. Then, choose whether to execute the policy immediately or pause it until a specified time. Click “Next.”-
First Run Timing: The first run operates on Coordinated Universal Time (UTC) to accommodate global users. If "Activate now" is selected, the first scan will initiate at the next 15-minute UTC interval. For example, if you create a policy at 10:25 UTC and choose "Activate now," the first job will start at 10:30 UTC. Subsequent runs will follow your defined schedule.
-
First Run Timing: The first run operates on Coordinated Universal Time (UTC) to accommodate global users. If "Activate now" is selected, the first scan will initiate at the next 15-minute UTC interval. For example, if you create a policy at 10:25 UTC and choose "Activate now," the first job will start at 10:30 UTC. Subsequent runs will follow your defined schedule.
-
Select Protection Options
- Choose “Live Scan” from the protection options.
The “Always keep the last clean copy of the data” and/or “Always keep the latest infected copy of the data.” are NOT available for S3.
- Select the protection type:
- Ransomware Detection
- Malware Scan
- Recoverability Check ( NOT available for S3 )
- Insider Threat Detection
- Choose “Live Scan” from the protection options.
-
Choose Cloud Connectors
Select the Cloud Connectors where the policy will operate. This ensures the policy scope is confined to specific AWS Accounts or Regions, avoiding unintended impacts.
-
Select Assets to Protect
- Choose S3.
-
Optional: Scan Objects Created After a Specific Time
You can choose to scan only objects created after a specified time. This option is particularly useful for safeguarding recently created objects and optimizing the protection of large buckets by focusing on the most recent additions.
-
Select Buckets to Protect
- By default, Elastio protects the entire bucket.
-
If you wish to scan specific objects, Elastio provides a variety of filtering options, such as prefixes, paths, or globs. After selecting the desired filters, click “Save.”
Note: Since Elastio does not have direct access to your data, object selection depends entirely on the input values you provide. If no objects match these specified values, no protection will be applied.
- Choose S3.
-
Assign Vaults
In Step 5, select the vaults for the Cloud Connectors chosen in Step 3. If no separation of scan jobs is needed within a Cloud Connector, use the default settings. Click “Save” or “Save & Run.”- Save & Run: Elastio will initiate the first scans immediately, with subsequent scans following the schedule.
- Save: The first scan will be scheduled according to the policy's configuration.
Event-Based Incremental Forever Scans
This scanning method focuses exclusively on new or updated objects, enabling Elastio to provide rapid, incremental ransomware scans without needing full-bucket scans. This approach is ideal for large S3 buckets with 10's-100's of millions of objects.
The CloudFormation template described below enables the Changelog feature for S3 buckets, which significantly improves the scan performance after the initial scan of the entire bucket is done. This template deploys an SQS queue and an EventBridge rule which sends S3 update events to the queue. Then, the Elastio iscan
job reads those events to perform the scanning of new objects.
Deploying the CFN stack
- First, you need to enable Amazon EventBridge for your S3 buckets by following these instructions: Enabling Amazon EventBridge.
-
Use one of the following quick-create links. Choose the region where your Elastio Cloud Connector is deployed.
Important! You can change the stack name, but it MUST start with
elastio-
. Otherwise, Elastio won't be able to access the created resources. - Fill in the main parameters:
- BucketNames - comma-separated list of S3 bucket names;
-
ScanExistingObjects - set to
true
if you want to perform the initial scan of all objects in the bucket(s); - KeyPrefixes - (optional) comma-separated list of prefixes of objects to scan. This will be applied to all buckets. If you want to use different prefixes for different buckets, you need to deploy multiple S3 Changelog stacks. Also, note that the paths selector in the Protection Policy will also be used to filter objects before scanning. This means that the KeyPrefixes parameter must be in sync with the paths selector in the Protection Policy or not specified at all;
-
DisableEventCollection - if you decide to disable the protection policy for your S3 bucket, you can set this to
true
to stop accumulating S3 update events in the SQS queue.
IMPORTANT: If you set this parameter to
true
, then no more objects will be scanned on this bucket. If you set it back tofalse
, then any new objects after the parameter is set tofalse
will be available to scan, but all changes made to the bucket during the time when this parameter was set totrue
will not be scanned, unless you manually initiate a full scan of the entire bucket. - Check the box in front of
I acknowledge that AWS CloudFormation might create IAM resources with custom names
andI acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND
and clickCreate stack
. - Create an S3 protection policy for your buckets in Elastio Tenant.
S3 Storage Classes
Supported S3 Storage Classes
Elastio currently supports the following S3 storage classes:
- S3 Standard
- S3 Intelligent-Tiering (Standard Objects)
Limitations:
Elastio does not support S3 archive classes, including:
- S3 Standard-Infrequent Access (S3 IA)
- S3 Intelligent-Tiering (non-standard tiers such as Archive and Deep Archive)
- S3 Glacier and S3 Glacier Deep Archive
ACLs
Automatic Detection of Access Control Lists (ACL) on Object:
Elastio scans automatically detect Access Control List (ACL) objects and skip them, ensuring efficient scanning by focusing only on relevant data.
For optimal compatibility, ensure that your S3 data is stored in supported classes. If your data is in an unsupported class, consider transitioning it to a supported class for Elastio's scanning and protection capabilities.