Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Construct Hub

Contribute

cdk-serverless-clamscan

Serverless architecture to virus scan objects in Amazon S3.

AWS CDK v2

ContainersServerlessEventBridgeDockerclamavefslambdas3sqsvirus scan
AWS icon

AWS

3,939 Weekly downloads

Author Amazon Web Services

Published

Repository github.com

License Apache-2.0

Registry www.npmjs.com 

pip install cdk-serverless-clamscan==2.6.11

ServerlessClamscan

An aws-cdk construct that uses ClamAV® . to scan objects in Amazon S3 for viruses. The construct provides a flexible interface for a system to act based on the results of a ClamAV virus scan.

The construct creates a Lambda function with EFS integration to support larger files. A VPC with isolated subnets, a S3 Gateway endpoint will also be created.

Additionally creates an twice-daily job to download the latest ClamAV definition files to the Virus Definitions S3 Bucket by utilizing an EventBridge rule and a Lambda function and publishes CloudWatch Metrics to the 'serverless-clamscan' namespace.

Important O&M: When ClamAV publishes updates to the scanner you will see “Your ClamAV installation is OUTDATED” in your scan results. While the construct creates a system to keep the database definitions up to date, you must update the scanner to detect all the latest Viruses.

Update the docker images of the Lambda functions with the latest version of ClamAV by re-running cdk deploy.

Successful Scan Event format

{
    "source": "serverless-clamscan",
    "input_bucket": <input_bucket_name>,
    "input_key": <object_key>,
    "status": <"CLEAN"|"INFECTED"|"N/A">,
    "message": <scan_summary>,
  }

Note: The Virus Definitions bucket policy will likely cause a deletion error if you choose to delete the stack associated in the construct. However since the bucket itself gets deleted, you can delete the stack again to resolve the error.

Initializers 

import cdk_serverless_clamscan


cdk_serverless_clamscan.ServerlessClamscan(
  scope: Construct,
  id: str,
  accept_responsibility_for_using_imported_bucket: bool = None,
  buckets: typing.List[IBucket] = None,
  defs_bucket_access_logs_config: ServerlessClamscanLoggingProps = None,
  efs_encryption: bool = None,
  efs_performance_mode: PerformanceMode = None,
  on_error: IDestination = None,
  on_result: IDestination = None,
  reserved_concurrency: typing.Union[int, float] = None,
  scan_function_memory_size: typing.Union[int, float] = None
)
NameTypeDescription
scopeConstructThe parent creating construct (usually this).
idstrThe construct's name.
accept_responsibility_for_using_imported_bucketboolAllows the use of imported buckets.
bucketstyping.List[IBucket]An optional list of S3 buckets to configure for ClamAV Virus Scanning;
defs_bucket_access_logs_configServerlessClamscanLoggingPropsWhether or not to enable Access Logging for the Virus Definitions bucket, you can specify an existing bucket and prefix (Default: Creates a new S3 Bucket for access logs).
efs_encryptionboolWhether or not to enable encryption on EFS filesystem (Default: enabled).
efs_performance_modePerformanceModeSet the performance mode of the EFS file system (Default: GENERAL_PURPOSE).
on_errorIDestinationThe Lambda Destination for files that fail to scan and are marked 'ERROR' or stuck 'IN PROGRESS' due to a Lambda timeout (Default: Creates and publishes to a new SQS queue if unspecified).
on_resultIDestinationThe Lambda Destination for files marked 'CLEAN' or 'INFECTED' based on the ClamAV Virus scan or 'N/A' for scans triggered by S3 folder creation events marked (Default: Creates and publishes to a new Event Bridge Bus if unspecified).
reserved_concurrencytyping.Union[int, float]Optionally set a reserved concurrency for the virus scanning Lambda.
scan_function_memory_sizetyping.Union[int, float]Optionally set the memory allocation for the scan function.
scopeRequired

The parent creating construct (usually this).

idRequired
  • Type: str

The construct's name.

accept_responsibility_for_using_imported_bucketOptional
  • Type: bool

Allows the use of imported buckets.

When using imported buckets the user is responsible for adding the required policy statement to the bucket policy: getPolicyStatementForBucket() can be used to retrieve the policy statement required by the solution.

bucketsOptional

An optional list of S3 buckets to configure for ClamAV Virus Scanning;

buckets can be added later by calling addSourceBucket.

defs_bucket_access_logs_configOptional

Whether or not to enable Access Logging for the Virus Definitions bucket, you can specify an existing bucket and prefix (Default: Creates a new S3 Bucket for access logs).

efs_encryptionOptional
  • Type: bool

Whether or not to enable encryption on EFS filesystem (Default: enabled).

efs_performance_modeOptional

Set the performance mode of the EFS file system (Default: GENERAL_PURPOSE).

on_errorOptional

The Lambda Destination for files that fail to scan and are marked 'ERROR' or stuck 'IN PROGRESS' due to a Lambda timeout (Default: Creates and publishes to a new SQS queue if unspecified).

on_resultOptional

The Lambda Destination for files marked 'CLEAN' or 'INFECTED' based on the ClamAV Virus scan or 'N/A' for scans triggered by S3 folder creation events marked (Default: Creates and publishes to a new Event Bridge Bus if unspecified).

reserved_concurrencyOptional
  • Type: typing.Union[int, float]

Optionally set a reserved concurrency for the virus scanning Lambda.

https://docs.aws.amazon.com/lambda/latest/operatorguide/reserved-concurrency.html

scan_function_memory_sizeOptional
  • Type: typing.Union[int, float]

Optionally set the memory allocation for the scan function.

Note that low memory allocations may cause errors. (Default: 10240).

https://docs.aws.amazon.com/lambda/latest/operatorguide/computing-power.html

Methods

NameDescription
to_stringReturns a string representation of this construct.
add_source_bucketSets the specified S3 Bucket as a s3:ObjectCreate* for the ClamAV function.
get_policy_statement_for_bucketReturns the statement that should be added to the bucket policy in order to prevent objects to be accessed when they are not clean or there have been scanning errors: this policy should be added manually if external buckets are passed to addSourceBucket().
to_string 
def to_string() -> str

Returns a string representation of this construct.

add_source_bucket 
def add_source_bucket(
  bucket: IBucket
) -> None

Sets the specified S3 Bucket as a s3:ObjectCreate* for the ClamAV function.

Grants the ClamAV function permissions to get and tag objects. Adds a bucket policy to disallow GetObject operations on files that are tagged 'IN PROGRESS', 'INFECTED', or 'ERROR'.

bucketRequired

The bucket to add the scanning bucket policy and s3:ObjectCreate* trigger to.

get_policy_statement_for_bucket 
def get_policy_statement_for_bucket(
  bucket: IBucket
) -> PolicyStatement

Returns the statement that should be added to the bucket policy in order to prevent objects to be accessed when they are not clean or there have been scanning errors: this policy should be added manually if external buckets are passed to addSourceBucket().

bucketRequired

The bucket which you need to protect with the policy.

Static Functions

NameDescription
is_constructChecks if x is a construct.
is_construct 
import cdk_serverless_clamscan


cdk_serverless_clamscan.ServerlessClamscan.is_construct(
  x: typing.Any
)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

xRequired
  • Type: typing.Any

Any object.

Properties

NameTypeDescription
nodeNodeThe tree node.
error_destIDestinationThe Lambda Destination for failed on erred scans [ERROR, IN PROGRESS (If error is due to Lambda timeout)].
result_destIDestinationThe Lambda Destination for completed ClamAV scans [CLEAN, INFECTED].
scan_assumed_principalArnPrincipalNo description.
clean_ruleRuleConditional: An Event Bridge Rule for files that are marked 'CLEAN' by ClamAV if a success destination was not specified.
defs_access_logs_bucketIBucketConditional: The Bucket for access logs for the virus definitions bucket if logging is enabled (defsBucketAccessLogsConfig).
error_dead_letter_queueQueueConditional: The SQS Dead Letter Queue for the errorQueue if a failure (onError) destination was not specified.
error_queueQueueConditional: The SQS Queue for erred scans if a failure (onError) destination was not specified.
infected_ruleRuleConditional: An Event Bridge Rule for files that are marked 'INFECTED' by ClamAV if a success destination was not specified.
result_busEventBusConditional: The Event Bridge Bus for completed ClamAV scans if a success (onResult) destination was not specified.
use_imported_bucketsboolConditional: When true, the user accepted the responsibility for using imported buckets.
nodeRequired 
node: Node

The tree node.

error_destRequired 
error_dest: IDestination

The Lambda Destination for failed on erred scans [ERROR, IN PROGRESS (If error is due to Lambda timeout)].

result_destRequired 
result_dest: IDestination

The Lambda Destination for completed ClamAV scans [CLEAN, INFECTED].

scan_assumed_principalRequired 
scan_assumed_principal: ArnPrincipal
clean_ruleOptional 
clean_rule: Rule

Conditional: An Event Bridge Rule for files that are marked 'CLEAN' by ClamAV if a success destination was not specified.

defs_access_logs_bucketOptional 
defs_access_logs_bucket: IBucket

Conditional: The Bucket for access logs for the virus definitions bucket if logging is enabled (defsBucketAccessLogsConfig).

error_dead_letter_queueOptional 
error_dead_letter_queue: Queue

Conditional: The SQS Dead Letter Queue for the errorQueue if a failure (onError) destination was not specified.

error_queueOptional 
error_queue: Queue

Conditional: The SQS Queue for erred scans if a failure (onError) destination was not specified.

infected_ruleOptional 
infected_rule: Rule

Conditional: An Event Bridge Rule for files that are marked 'INFECTED' by ClamAV if a success destination was not specified.

result_busOptional 
result_bus: EventBus

Conditional: The Event Bridge Bus for completed ClamAV scans if a success (onResult) destination was not specified.

use_imported_bucketsOptional 
use_imported_buckets: bool
  • Type: bool

Conditional: When true, the user accepted the responsibility for using imported buckets.

Provide feedback to publisher
Provide feedback to Construct Hub
Report abuse