Class CpVirusScanner

CloudKitect Virus Scanner Pattern Properties It will scan every file that is uploaded to the fileUpload S3 bucket, it will first download the file to the EFS filesystem, then it will invoke the virus scanner lambda for scanning that file. Virus scan results are then sent to the event bus for further processing

Input: A Bucket where the file will be uploaded Output: FileScanned Event with following details.

{
    "DomainId": "UUID",
    "EventTime": "ISO_FORMAT",
    "EventId": "UUID",
    "CorrelationId": "UUID",
    "UserId": "UUID",
    "EventType": "DOMAIN",
    "EventName": "FileScanned",
    "DomainName": "File",
    "IpAddress": "1.1.1.1",
    "Payload": {
        "Source": "VirusScanner",
        "FileUploadBucket": BUCKET_NAME,
        "Path": FILE_PATH,
        "Status": CLEAN/INFECTED,
        "Message": "Message",
        "Size": "FileSize",
    },
    "Version": 1
}

Note: Event is sent to EventBus if the status is CLEAN/INFECTED and sent to SQS error Queue if statis is ERROR

Infrastructure Diagram

Virus Scanner Infrastructure

Default Configuration

INFECTED files are sent to eventbus with status: INFECTED CLEAN files are sent to eventbus with status: CLEAN Files that result in scan error are send to the error SQS queue

Default Alarms

None Note that the default alarm uses the WaAlarm construct, which sets up an alarm action to notify the SNS Topic AlarmEventsTopic by default.

Examples

Default Usage

new CpVirusScanner(this, "X8VS", {
   cpVpc: vpc,
   cpEventBus: eventBus,
   cpFileUploadBucket: fileUpload,
})

Custom Configuration

new CpVirusScanner(this, "X8VS", {
   cpVpc: vpc,
   cpEventBus: eventBus,
   cpFileUploadBucket: fileUpload,
})

Compliance

It addresses the following compliance requirements

  1. Virus scanning customer uploaded files is required by most of the compliance standards
    • Risk Level: Medium
    • Compliance: PCI, HIPAA, APRA, MAS, NIST4
    • Well Architected Pillar: Security

Hierarchy

  • Construct
    • CpVirusScanner

Constructors

constructor

Properties

cleanFileRule efsDefsPath efsMountPath efsRootPath infectedFileRule s3Gateway scanErrorDestination scanErrorQueue virusScannerLambda

Accessors

scanAssumedPrincipal

Methods

addSourceBucket getPolicyStatementForBucket

Constructors

constructor

Properties

Readonly cleanFileRule

cleanFileRule: Rule

Rule for sending clean files source is VirusScanner statis is CLEAN

Private Readonly efsDefsPath

efsDefsPath: "virus_database/" = 'virus_database/'

Directory where virus definitions are downloaded

Private Readonly efsMountPath

efsMountPath: string = ...

EFS Mount

Private Readonly efsRootPath

efsRootPath: "/lambda" = '/lambda'

Root path for virus scanner lambda

Readonly infectedFileRule

infectedFileRule: Rule

Rule for sending infected files source is VirusScanner statis is INFECTED

Private Readonly s3Gateway

s3Gateway: GatewayVpcEndpoint

S3 Gateway endpoint for S3 Buckets

Readonly scanErrorDestination

scanErrorDestination: IDestination

The Lambda Destination for failed on erred scans [ERROR, IN PROGRESS (If error is due to Lambda timeout)].

Readonly scanErrorQueue

scanErrorQueue: CcQueue

SQS where error messages are sent

Private Readonly virusScannerLambda

virusScannerLambda: DockerImageFunction

Lambda that scans the files

Accessors

scanAssumedPrincipal

  • get scanAssumedPrincipal(): ArnPrincipal

  • Returns ArnPrincipal

    ArnPrincipal the ARN of the assumed role principal for the scan function

Methods

addSourceBucket

  • addSourceBucket(bucket): void

  • Parameters

    • bucket: IBucket

    Returns void

getPolicyStatementForBucket

  • getPolicyStatementForBucket(bucket): PolicyStatement

  • Parameters

    • bucket: IBucket

    Returns PolicyStatement

Settings

Member Visibility

Theme

On This Page

Generated using TypeDoc