Revision history

This section provides a description of document changes.

  1. Revision 1.0

Product Description

Real time security for object data in AWS S3 services.  Provides monitoring, alerting and automated lockout of accounts with malicious object data IO patterns.  Licensed by bucket and available only as subscription option with bundles of buckets available. 

Product Architecture

The diagram below outlines the services consumed and the data flow for Ransomware Defender to protect S3 buckets.  Cloudtrail, SQS queues, Managed Kafka and autoscaling group is used. 

Product License

  1. Licensed per TB per month of protected S3 data

Product Firewall Requirements

Product Usage Ports

SMTP port 25 TCP
Eyeglass VM --> SMTP serverSend email alerts to an SMTP server
Eyeglass VM -->> syslog serverSend alarms over syslog to a syslog server
HTTPS TLS 1.2 or 1.3 443
Administrator to WebUI
Administrator to login WebUI
SSH TCP port 22
administrator --> instancesSSH access access to CLI

Product VPC Internal Firewall Ports

NOTE:  Do not modify any security group firewall settings.  All ports are required for product usage.

Security Group
web GUI
EyeglassInboundSSH to Eyeglass
TCP 2013
UDP 5514 EyeglassInbound
syslog forwarding from ECA instances
TCP 9092
Kafka MSK service port
TCP 2181EyeglassInboundZookeeper MSK service port Kafka
TCP 9094
EyeglassInboundKafka MSK service port
TCP 9092
Kafka MSK service port
ECA instanceInboundmanagement UI's for debugging only
TCP SSH 22ECA instance InboundSSH for CLI access to the ECA instances

Product Requirements

  1. The following services are required for this product
    1. EC2 - default configuration 1 GUI VM (Eyeglass), 2 - Analysis VM's (ECA VM's)
    2. AWS Managed Kafka - MKS Service
    3. CloudFormation Templates 
    4. Cloud trails - Used to log S3 protocol operations on S3 buckets and used as the primary input for behavioral analysis
    5. SNS Service
    6. S3 buckets - Select one or more bucket to be protected
    7. Eyeglass IAM service account to be able to shutdown and stop attacks

High Level Installation Summary

  1. Cloutrail, SQA queues and event bridge are used to provide audit data to Ransomware Defender.
  2. Note: A separate cloudtrail and notifications SQS queue pair has to be created to monitor buckets in each region.
  3. Create cloudtrail SQS queue with the credentials added to eyeglass as the queue owner or give eyeglass read/write access. Set 'Receive message wait time' for the queue to 20 Seconds.
  4. Create notifications SQS queue with the credentials added to Eyeglass as the queue owner or give Eyeglass read/write access. Set 'Receive message wait time' for the queue to 20 Seconds.
  5. Create CloudTrails trail that logs data events and add the buckets you want to audit. Make sure to choose both read and write events. You can also choose to audit all current and future buckets.
  6. Create an EventBridge rule on the default event bus. Choose 'Event Pattern' -> 'Custom Pattern' and use the following pattern:
    1. Select your cloudtrail SQS queue as the target.
  7. Deploy CloudFoundation template
  8. For each bucket you want to audit, go to bucket properties -> "Event notifications" -> "Create event notification". From Event types, select "All object create events", "All object delete events" and "Restore object events". For Destination select SQS queue, Enter the ARN of your notifications SQS queue.
  9. Configure Ransomware Defender licenses and input credentials, SQS queue, trail notifications

Installation IAM Service Account Creation

  1. This account is used to read the SQS Queues and provides the lockout to IAM credentials of a malicious user account
  2. This service account is used in the Eyeglass Configuration section here.  Proceed with the steps in order within this document.

Installation Procedures to Enable Cloudtrails

  1. This step Enables audit data to be created for S3 protocol access to S3 buckets
  2. CloudTrail configuration
    1. 2 options exist when configuring the monitoring Cloudtrail, you can configure logging of S3 operations for all S3 buckets or specific buckets.  
    2. Configure S3 monitoring on all S3 buckets in your account.
      1. console.aws.amazon.com/cloudtrail/home
      2. Click Create Trail
        1. Trail name - superna-ransomware-defender-trail
        2. Trail bucket name - superna-ransomware-defender-trail-bucket
        3. Trail KMS alias - superna-ransomware-defender-trail-kms
        4. Option Create New S3 bucket
        5. Leave all other defaults

        6. Click Next
        7. Select Management Events and Data Events
        8. Option 1 (Recommended) - Log events for all S3 buckets to protect all S3 buckets (requires a license for all S3 buckets)
          1. Select Data Event type of S3 and  leave log selector template at Log all Events
        9. Option 2 (Least permissions option ) - Log Selective S3 buckets for protection
          1. Click the button "Switch to basic selectors"
          2. Uncheck Read and write next to the "All current and future S3 buckets"

          3. Click the Browse button and select an S3 bucket and leave Read and Write check boxes selected.   Click add bucket again to continue to add S3 buckets to be logged and protected. 
          4. Click Next and on the final screen click create trail
          5. done

Installation Procedures SQS Queue

  1. Two SQS queues are needed (Simple Message queuing service) to deliver audit messages to Ransomware Defender.  Two queues are used to provide 2 different data sources needed to evaluate user behaviors.
  2. Note: A separate cloudtrail and notifications SQS queue pair has to be created to monitor buckets in each region.
  3. Login to the SQS Service landing page https://console.aws.amazon.com/sqs/v2/home 
  4. Click Create Queue
    1. 1st Queue Name: superna-ransomware-defender-trail-queue
    2. Set 'Receive message wait time' for the queue to 20 Seconds.
    4. In the Access policy section select the basic option
      1. Click create button to create the SQS Queue. (This step creates the ARN identifier needed to complete the steps below.) 
      2. Click the copy icon next to the ARN and save this for the steps below.
      3. Now click the Access Policy tab and click the Edit button
      4. Locate the } bracket on the line before the square bracket ] and add a comma and hit the enter key to create a new line
      6. Add the comma and enter key
      7. NOTE:  The sourceARN is set to * which means all buckets in the region can be protected without needing to edit the access policy of the queue.
      8. Replace the <queue-ARN> with the ARN value of the queue copied from the steps above.
      9. Copy the text below and fix the queue-ARN and then paste the following text on the new line created in the editor. Make sure to add the ARN and replace "Resource":"<QUEUE-ARN>"
      10. {
      11. "Sid": "allow-s3-notifications",
      12. "Effect": "Allow",
      13. "Principal": {
      14. "Service": "s3.amazonaws.com"
      15. },
      16. "Action": "SQS:SendMessage",
      17. "Resource": "<QUEUE-ARN>",
      18. "Condition": {
      19. "ArnLike": {
      20. "aws:SourceArn": ["arn:aws:s3:*:*:*"]
      21. }
      22. }
      23. }
    5. Click the Save button to save the Access policy
  5. Repeat the above steps and create the 2nd SQS queue with the name - superna-ransomware-defender-notifications-queue
  6. NOTE:  This policy will allow monitoring all S3 buckets in the region.   For each region where buckets need protection the same two SQS queues need to be created by changing region in the console and create the same queues with the steps above.
  7. Done.

Installation Procedures Event Bridge

  1. Amazon EventBridge Service allows Building event-driven applications at scale.  Amazon EventBridge is a serverless event bus that makes it easier to build event-driven applications at scale using events generated from applications.  Ransomware Defender uses the event bridge with SQS queues and Cloudtrails.
  2. NOTE:  The Region selected must be the same as the SQS queue region when creating the Eventbridge rule.
  3. Login to the event bridge home page https://console.aws.amazon.com/events/home
    1. Click the Rules menu item on the left
    2. Select the Default Event Bus
    3. Click Create Rule button
      1. Enter the Rule name: Rule Name: superna-ransomware-defender-eventbus-rule
      2. Select the Event Pattern option and then custom event patter.

      3. Copy the text below and paste it into the Event Pattern dialog box and Click Save
      4. {
        "source": ["aws.s3"],
        "detail-type": ["AWS API Call via CloudTrail"],
        "detail": {
        "eventSource": ["s3.amazonaws.com"],
        "eventName": ["ListObjects", "ListObjectVersions", "GetObject", "HeadObject", "GetObjectAcl", "PutObjectAcl", "CreateMultipartUpload", "ListParts", "UploadPart", "AbortMultipartUpload", "UploadPartCopy", "SelectObjectContent", "PutObjectLockRetention", "PutObjectLockLegalHold", "GetObjectLockRetention", "GetObjectLockLegalHold", "GetObjectTorrent"]
    4. Continue to the Select Targets section.
      1. Change the target to SQS Queue in the drop down menu.
      2. Click the drop down arrow for Queue and select the SQS Queue created for the Cloudtrail named - superna-ransomware-defender-trail-queue
    5. Click Create
    6. Done

Installation Procedures CloudFormation Deployment of Ransomware Defender Stack

  1. The CloudFormation deployment takes about 45 minutes to complete once it has been started.
  2. Prerequisites:
    1. Region specific EC2 keys are required to be created for the Cloud stack command below.  Follow these steps to create new AWS keys for use with the appliance.
    2. NOTE: The region where the key pair is created Must be the same region where the Cloud stack is deployed.
    3. Open EC2 Service landing page and switch to the region where the Cloud Stack will be created for your deployment.
    4. Then click the Key Pairs menu item and name the key pair Ransomware-Defender-stack-key-pair   
      2. Store the pem file in a secure location.  This will be used to ssh into the VM's post deployment.
      3. Done
  3. Steps to deploy an AWS RSW Defender stack:
  4. The template used in CloudFormation deployment is stored in s3://superna-publish/eyeglass-stack.template,  replace yellow highlighted parameters and see explanation below.
  5. To create a new CloudFormation stack, run the following command from the cloud shell https://console.aws.amazon.com/cloudshell/home 
    1. aws --region us-east-2 cloudformation create-stack --template-url $(aws --region us-east-2 s3 presign s3://superna-publish/eyeglass-stack.template) --disable-rollback --capabilities CAPABILITY_NAMED_IAM --stack-name <STACK-NAME> --parameters ParameterKey=OperatorEMail,ParameterValue=email@email.com ParameterKey=KeyName,ParameterValue=Ransomware-Defender-stack-key-pair ParameterKey=AccessLocation,ParameterValue=<ACCESS-IP-RANGE>
    2. Replace <STACK-NAME> with a unique name for the stack you're creating and use the key pair name created above Ransomware-Defender-stack-key-pair.
    3. Replace us-east-2 with the region where you want to run the Cloud Stack NOTE:  This is example only if you change the region you must create the key pair in the same region.
    4. Replace email@email.com with the email that will subscribe the Cloud Stack notifications about the resources.  An email will be sent to verify subscription to the SNS topic.
    5. If you don't have an existing EC2 key pair you can first create one by going to the AWS Console and follow the instructions above.   Enter this key pair name Ransomware-Defender-stack-key-pair
    6. <ACCESS-IP-RANGE> - with a valid CIDR IP range. For example x.x.x.x/yy   this is the range of IP addresses that will be configured on the allow inbound firewall on the Security Group that protects the eyeglass instance and the ECA VM instance group. 
      1. NOTE This subnet is set only to complete the installation and should be set to a management subnet that will allow HTTPS and ssh access to the instances.  The security group can be configured with additional firewall rules post deployment.
  6. if the above cli command succeeds, it should return the ARN of the newly created stack as follows:
    1. {"StackId": "arn:aws:cloudformation:us-east-2:561473863037:stack/stack-beta/dcd1e7d0-63bf-11ec-a54f-0a754021a156"}
  7. This means that stack creation is now in progress.
  8. You can now go to the AWS console https://console.aws.amazon.com/cloudformation/home -> cloudformation -> Stacks and check on the progress of stack creation:

  9. Stack creation typically takes anywhere from 20 to 40 minutes, most of that time is spent creating the MSK cluster.
    1. To monitor tasks that are completed or outstanding during the deployment.

  10. After creation is complete you should see "CREATE_COMPLETE" in the stack status.
    1. You can now click the link next to EyglassInstance resource to see the deployed EC2 instance for Eyeglass.
    2. You can also click the link next to ECAGroup then switch to Instance Management to see all deployed ECA instances.

    3. By clicking the link for any of the deployed instances, you can view the details page for that EC2 instance. From there you can find the public IP and public DNS name that you can use to connect to the instance.

  11. Modify the Security Groups of the virtual private cloud Cloudformation to secure access to the Eyeglass GUI beyond the initial subnet added during installation.
  12. Deployment done

Installation Procedures - Ransomware Defender Instance and CloudFormation Stack Validation

  1. The final configuration steps are completed within the GUI of Ransomware Defender.   The CloudFormation stack must be completed by logging into to the HTTPS protected GUI.
  2. Open the CloudFormation landing page
    1.  Verify the Stack shows successfully deployed.
  3. Step get Eyeglass GUI IP address and ECA Instance IP addresses
    1. Open the CloudFormation landing page.
    2. Select the Stack name created in the steps above
    3. Click the events tab
    4. Scroll down to locate the Eyeglassinstance (this is the main GUI instance)
      2. Click on the Instance and record the ip address and DNS name 
    5. On CloudFormation resources tab locate the resource named  ECAGroup and click the link.
      1. Click the Instance Management Tab
      2. Click on each instance and record the IP address and DNS name
    6. Done 
  4. Step Verify SSH and HTTPS Access
    1. Test HTTPS Web UI access
      1. On the Eyeglass instance recorded above, click the DNS name to verify the web page loads.  If it does not load or times out check the inbound firewall on the VPC step above.
    2. SSH Access Test to the ECA Group instances
      1. To ssh into any of the deployed instances you have to connect as 'ec2-user' and use the private key from the key pair that you chose in the CloudFormation creation Cloudshell steps above during stack creation. For example to ssh into to the eyeglass instance from the stack you just deployed you would use the following command:
      3. Once connected you can then escalate privileges to root.  NOTE The root user password is randomized password and should be set to a known password that is tracked.
        1. sudo su -
        2. passwd   (set a new root password)
      4. To login to the ECA Group instances the the steps above to change the root password should be completed.
    3. ECA Group Instance CLI access Validation Step
      1. The ECA Group instances have a CLI user builtin.  To access this CLI follow the steps below.
      2. Login to the instance over ssh using the key and 'ec2-user'   See above example.
      3. Then use this command
        1. sudo su - ecaadmin
        2. ecactl version  (to check access to the CLI was successful)

Installation Procedures - Activation To Enable Protection on an S3 bucket

  1. To Selective protect S3 buckets follow these steps.
  2. NOTE:  A license quantity must exist for the number of S3 buckets that are enabled for auditing.  Review the license manager icon to verify license entitlement for S3 buckets licenses available and used.
  3. Open the S3 console landing page.  
    1. Select an S3 bucket to protect
    2. Click properties tab
    3. Scroll down to verify the AWS CloudTrail data events shows the superna-ransomware-defender-trail configured in the steps above.
    4. In the Event Notifications section below CloutTrails Click Create Event Notification
      1. Name: superna-ransomware-defender-event-notification-policy
      2. In the Event Types section complete the check boxes as per below screenshot
      4. Scroll down to the Destination Section
      5. Select SQS Queues Radio button
      6. Under specify SQS queue choose from your SQS queues and select the SQS queue named superna-ransomware-defender-notification-queue   This will allow all S3 buckets in the region to be monitored from the pair of queues once the S3 bucket activation is completed.

      7. Click Save changes
    5. Repeat these steps on all other S3 buckets to be enabled for protection
  4. Done.

Installation Procedures - Ransomware Defender Configuration


  1. Eyeglass IAM service account access and secret keys
  2. SQS Queues (Coudtrail and notifications) URL's
  3. S3 Region -  the region where the S3 buckets are located
  4. NOTE:  In order to protect S3 buckets in multiple regions you will need to have pairs of SQS cloudtrail and notification queues must be created per region and the steps below will need to be repeated for each region with S3 buckets.

Configuration Steps in Eyeglass GUI

  1. Login to the Eyeglass GUI Instance using DNS name captured above to configure the region and SQS queues used to monitor activity on the S3 bucket.
  2. login with admin user and default password 3y3gl4ss
    1. Click Eyeglass Main Menu bottom left of the UI
    2. Select Add Managed Device 
    3. Use the following information
      1. Access Key and secret key of the eyeglass service account user is created to allow access to IAM and the Cloudtrails, SQS queues
      2. S3 Region - The region where the S3 buckets are located for monitoring.  This is the same region where the cloudtrail and SQS queues were created.
      3. Cloudtrail SQS URL Notification SQS URL - Click the SQS landing page link.  Click on each SQS queue created for the configuration and get the URL from the main page. Example below.
      5. Set the IAM Region AWS_Global
    4. Fill in the information and click Submit to save the information.
    5. This will complete an inventory collection that will be visible in the Inventory Icon.
    6. NOTE: Repeat the steps in this section for each region with S3 buckets to protect.  Remember each region needs a pair of SQS queues created in that region.  See this section
  3. Licensing Management
    1. Click the license manager Icon

  4. Installation Configuration is now complete.  The Next steps to configure Security guard and other configuration steps are available in the Ransomware Defender for AWS Admin guide.

© Superna Inc