Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How can I delete a file once its been tagged as INFECTED? #582

Open
james-wilson-sp opened this issue Aug 30, 2022 · 12 comments
Open

How can I delete a file once its been tagged as INFECTED? #582

james-wilson-sp opened this issue Aug 30, 2022 · 12 comments

Comments

@james-wilson-sp
Copy link

Hello!

Sorry for the silly question, but I'm not sure in CDK how I can add a rule to delete a file marked as infected? I presume this is possible?

I notice you have an infectedRule? which creates an event bridge rule? But I wasn't sure how to go about doing this.

My existing code which works now

    const BackEndBucket = S3.Bucket.fromBucketName(
      this,
      `bucketname`,
      `bucketname}`,
    );

    const sc = new ServerlessClamscan(this, 'Clamscan', {
      acceptResponsibilityForUsingImportedBucket: true,
    });

    sc.addSourceBucket(BackEndBucket);

    const bucketPolicy = new BucketPolicy(this, 'BucketPolicy', {
      bucket: BackEndBucket,
    });

    bucketPolicy.document.addStatements(sc.getPolicyStatementForBucket(BackEndBucket));

    const infectedTopic = new Topic(this, `InfectedTopic`);
    sc.infectedRule?.addTarget(
      new SnsTopic(infectedTopic, {
        message: RuleTargetInput.fromEventPath(
          '$.detail.responsePayload.message',
        ),
      }),
    );
@dontirun
Copy link
Contributor

Hi!

There are multiple ways to handle this with event bridge considering the different targets you can use. A simple solution may be adding a Lambda Target to the infected rule and have the Lambda function delete the object from S3.

@james-wilson-sp
Copy link
Author

Thanks for the quick response @dontirun
I noticed that the default rule I added above

'$.detail.responsePayload.message',
{
  "detail": {
    "responsePayload": {
      "source": ["serverless-clamscan"],
      "status": ["INFECTED"]
    }
  }
}

But there is nothing sent in this response about the file in S3 which it detected (Unless I am missing something) is there a way in the payload to get the ARN or Path to the S3 Object its scanning??

@dontirun
Copy link
Contributor

This is the payload from the lambda function (includes the source bucket and key)

I believe if you use '$.detail.responsePayload' you should be able to get all the details

@dontirun
Copy link
Contributor

Looking at this blogpost

For EventBridge, the JSON is passed as the Detail in the PutEvents call. The source is lambda, and detail type is either Lambda Function Invocation Result - Success or Lambda Function Invocation Result – Failure. The resource fields contain the function and destination ARNs.

@dontirun
Copy link
Contributor

dontirun commented Aug 30, 2022

My apologizes, it looks like the default infected rule created by the construct may not contain that information. We may have to make a PR to change that if the '$.detail' object does not contain the correct information

@james-wilson-sp
Copy link
Author

james-wilson-sp commented Aug 30, 2022

Thanks @dontirun.
Im not sure how complex it is to add it, but am I going about this the right way, I noticed you have a


onResult (aws_lambda.IDestination) The Lambda Destination for files marked 'CLEAN' or 'INFECTED' based on the ClamAV Virus scan or 'N/A' for scans triggered by S3 folder creation events marked (Default: Creates and publishes to a new Event Bridge Bus if unspecified). Optional

Would I just literally add a lambda function into the main construct like

    const sc = new ServerlessClamscan(this, 'Clamscan', {
      acceptResponsibilityForUsingImportedBucket: true,
      onResult: lambdaarnhere?
    });

Would that feed across the bucket name and bucket key of the file? So then in that lambda function I create, I can just delete the S3 file there?

Do you know what gets passed to the lambda function using the onResult?


I'm trying to figure out the best way to delete the S3 file after its been marked as infected.

@dontirun
Copy link
Contributor

You would have to set up the destination (so not exactly just an ARN), but this payload will be present

@felix-iw
Copy link
Contributor

I use a lifecycle policy on the bucket that deletes all files that are marked as infected after one day.
If there is no need to immediately delete the infected file, that approach might work for you.

@james-wilson-sp
Copy link
Author

@felix-iw Awesome, I'd really appreciate it, if your able to share the LifeCycle XML you have?

@felix-iw
Copy link
Contributor

I set up both bucket and lifecycle rule with the CDK:

  const b = new Bucket(....)
  b.addLifecycleRule({
      enabled: true,
      expiration: cdk.Duration.days(1),
      id: "deleteInfectedRule",
      tagFilters: { "scan-status": "INFECTED" },
  });

@james-wilson-sp
Copy link
Author

Thank you so much @felix-iw :)

@villelahdenvuo
Copy link

This can be closed? Perhaps a documentation update would be nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants