ClamAV scanning S3 buckets using Terraform

I’ve recently had a need to scan files for viruses after they have been uploaded to an S3 bucket. After some Googling, I found this repo from Upside Travel, which uses S3 event notifications and Lambda functions to trigger a ClamAV scan on a file shortly after it is uploaded to an S3 bucket. If the file is deemed malicious, it is tagged as INFECTED and its download is prevented.

It’s an elegant solution that makes the most of the AWS environment. One thing which I didn’t love, though, was the amount of clicking that I had to do to configure things. As I’m new to AWS, I lost maybe half a day in trying to find buttons and misunderstanding the maze that is the AWS console. I’ve recently also been learning Terraform, so I thought this might be a good opportunity to combine the two things and create a Terraform module that spins up the required infrastructure to do the scanning without having to click any buttons.

You can find the module here. It’s fairly simple at the moment (and therefore slightly limited). The main limitation is that you cannot provide an array of buckets to scan - it only works with a single bucket. There are some other minor tidiness issues that I am already aware of, but this is an MVP that does the job. There is a working example that should (given an existing S3 bucket’s name and ARN) set up the Lambda functions to scan any files uploaded to that bucket.

This is the first thing I have open-sourced that I imagine anyone will use, my first two weeks using AWS seriously, and my first two days with Terraform. Pull requests, bug fixes, and any other suggestions are very much appreciated. The code can be found here.

Written by Feroz Salam on 13 November 2018