4.1 Project Overview

Overview of Project ☁️

Scenario:

A mid-sized company offers a cloud-based file-sharing service. Users frequently upload sensitive documents, images, and binaries. The security team is concerned about malware uploads, data leaks, and unauthorized access. A single infected or malicious file could compromise the environment or expose confidential user data.

Our solution:

We built a Secure File Sharing & Malware Protection System that:

  • Creates a secure S3 bucket for file storage with encryption and versioning.
  • Uses S3 Object Lambda to validate uploaded files in real-time and block malicious content.
  • Detects sensitive or confidential data with Amazon Macie.
  • Serves content globally and protects against DDoS attacks using CloudFront + AWS Shield Standard.

This system ensures the service blocks malware, prevents sensitive data exposure, and remains available under high traffic or attack scenarios.

About Project:

In this project, you’ll learn how to combine data protection, automated threat detection, network-layer security, and monitoring into a single workflow.

  • These concepts are critical because file-sharing services are frequent targets of malware and DDoS attacks. Automated detection and protection prevent incidents before they impact users.
  • As a Cloud Security Engineer, you’ll learn to:
    • Deploy secure, encrypted S3 storage with IAM-based access controls.
    • Implement Object Lambda functions to validate and filter uploads.
    • Use Amazon Macie for sensitive data discovery and alerts.
    • Protect endpoints using CloudFront with AWS Shield Standard.

By the end, you’ll have hands-on experience protecting cloud file-sharing services from malware, sensitive data leaks, and DDoS attacks.

Steps To Be Performed 👩‍💻

  1. Create a secure S3 bucket with SSE-KMS encryption and versioning.
  2. Configure IAM roles and bucket policies for least-privilege access.
  3. Deploy S3 Object Lambda to validate and filter uploaded files.
  4. Enable Amazon Macie to detect sensitive data in uploads.
  5. Serve files via CloudFront + AWS Shield Standard for DDoS protection.

Services Used 🛠

  • Amazon S3 → Secure storage with encryption and versioning.
  • IAM & Bucket Policies → Fine-grained access control.
  • S3 Object Lambda → On-the-fly file validation.
  • Amazon Macie → Detects sensitive or confidential data.
  • Amazon Inspector → Scans uploaded binaries for vulnerabilities.
  • CloudFront + AWS Shield Standard → Protects against DDoS attacks and improves availability.
  • CloudWatch → Centralized monitoring and alerting.

Estimated Time & Cost ⚙️

  • Estimated time: 3-4 hours
  • Cost: ~$1-$5 (mostly S3, CloudFront, Macie free tier)

➡️ Architectural Diagram

This is the architectural diagram for the project:



➡️ Final Result

A secure and monitored file-sharing system where:

  • Object Lambda blocks malicious file types and logs suspicious uploads.
  • Macie identifies sensitive data like PII or confidential content.
  • CloudFront + Shield ensures content availability and DDoS protection.

By the end, the company has end-to-end protection for file uploads, automated threat detection, and monitoring to ensure data integrity, user safety, and service resilience.

Complete and Continue