Introduction

Menlo Security File Protection for Amazon S3 provides advanced Content Disarm and Reconstruction (CDR) and Data Detection and Response (DDR) capabilities to keep every file in your S3 environment safe and compliant. Each file uploaded to your S3 bucket is automatically analyzed to remove malware, malicious code, and active content. 

Sensitive data such as PII, PCI, and PHI is detected and masked according to the security policies of your organization. Deployment is fully automated through AWS Quick Launch, with no manual setup or maintenance required. All actions are tracked and visible in the Menlo Security Management Console for monitoring and compliance.

Purchase Options

Menlo offers a 14 day free trail and then there is the basic subscription model:

Additional Usage Costs

Costing Example:

If you use 75GB in a month you will pay $700, this is an automatic payment ($200 overage).

File count calculation: An archive file with 10 compressed documents inside will be counted as 10 files, a single .docx with embedded images will be counted as 1 file.

Pre-Requisites

You will require access to the AWS Console, with privileges to access S3, IAM and Cloud Formation.

Configuration

From your AWS account, search Marketplace for Menlo File Security.

1. Click on Menlo File Security.
2. Click on View Purchase Options or Try for Free.
3. Once the plan has been selected, click subscribe.
4. Click on Set up your account.

The configure and quick launch dialogue will appear. There are 4 steps for the quick launch process:

• Step 1: Make sure you have the required AWS permissions
• Step 2: Sign In and Create a vendor account
• Step 3: Configure your software and AWS integration
• Step 4: Launch your software

Step 1: Make sure you have the required AWS permissions

This step requires permissions to be added to a role.  

1. From the install template click on required permissions.
2. Copy the permissions.
3. In the AWS console navigate to IAM.
4. Click on Roles. Edit a role to include the additional permissions - this role must have the trusted entity AWS Service: cloudformation.
5. Click Add permissions.
6. Select Create inline policy.
7. Select the JSON tab.
8. Remove the default content and paste the permissions into the editor.
9. Click Next.
10. Provide a name for the policy.
11. Click Create Policy.

Step 2: Sign in and create a vendor account

This step will create the Menlo CDR tenant, when complete you will be presented with an email address, a username and an initial password.

1. Click on the Go to Votiro button.
2. When prompted enter the email address and click Sign In.
3. Enter the Username and Password and click Sign In again.
4. You will then be prompted to change your password. When complete click Send.

You are now in the Votiro CDR Management Console.  For further information refer to the following documentation:

https://csportal.menlosecurity.com/hc/en-us/sections/38776922116621-Votiro-Management-Console

The default policy will be enforced on files.  

Currently you are given full access to the environment, if you use any of the other integrations/connectors/channels you are liable for further billing.

Step 3: Configure your software and AWS integration

This step will allow you to automatically launch and configure resources and dependencies.

1. Navigate back to the AWS Quick Launch configuration.
2. Click Launch template.  This will launch the S3 CloudFormation console.
3. Select the region from the drop down (not all regions are available).
4. Click Launch template, this will display the Create Quick Stack screen.
5. Enter a Stack name (or you can use the default).
6. Enter the S3 bucket ARN. This is obtained from the Amazon S3 | Buckets | Properties | Bucket Overview.

Menlo CDR does support multiple buckets but the quick launch only supports 1 bucket.  If you want to add additional buckets this is done in the Votiro CDR management console.  Select Cloud Connectors | AWS S3 and Click Add.  You can also assign a different policy to the additional buckets.

7. Optionally tag the resources that are being created. Enter Key: DemoTag and Value: MenloCDR.
8. Enter the permissions - this will be the role you created earlier. The role will appear in the drop down menu.
9. Scroll down to Capabilities and click I Acknowledge that the AWS CloudFormation might create IAM resources with custom names.
10. Click Create Stack.

This will create a session of 21 events. Once complete, access will be given to the connector which will enable Menlo CDR Sanitization to the files uploaded into the S3 bucket.

Step 4: Launch your software

Clicking Launch your software will navigate you back to the Votiro CDR management console, where you can make changes to your policy.

The AWS Quick Launch is now complete.

Test the Integration

Validate the configuration by uploading some files to your s3 bucket.

1. Navigate to your S3 bucket.
2. Click objects.
3. Click upload.
4. Select different file types, click upload.
5. Navigate to the Menlo CDR management console, click Events. All the files uploaded will be displayed with the associated actions.  Further details can be viewed by clicking on View Full Details.

Further details on the Votiro Management Dashboard can be reviewed in the Knowledge base Articles in the folder Votiro Management Console.

6. Navigate back to the Objects folder in AWS, if any files were blocked you will see the file name with an appended name of _blocked.pdf.
7. This file can be viewed by clicking on Open.

Troubleshooting

If you do not have the necessary privileges for the AWS Marketplace deployment, you may see the following alert in Step 1.  Click Enable integration to create the service-linked role.

For further information please review the following AWS documentation:

https://docs.aws.amazon.com/marketplace/latest/buyerguide/buyer-creating-service-linked-role.html