Amazon Elastic File System (EFS) Integration With AWS Lambda

AWS has recently announced support for Amazon Elastic File System (EFS) within AWS Lambda. This change creates new possibilities for serverless applications. In this article I will demonstrate one such possibility — centralising the storage and updating of the ClamAV virus database.

ClamAV

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Like any antivirus solution, ClamAV needs to be kept up to date to be fully effective. Ordinarily the virus database can be updated by issuing the freshclam command. However, this requires that the instance running the command have internet access. When developing secure architectures in public cloud it is sometimes necessary to have fully isolated subnets which, do not have internet access. Additionally, strict security compliance requirements may dictate that virus definitions are not updated directly from the internet but instead be updated from a centralised location within the VPC.

Combining EFS, Lambda and EC2 we can create a configuration that will meet these requirements.

Design

The below diagram represents the architecture we will implement.

Our virus database will be stored on an EFS file system. EC2 instances will be configured to use this file system for their virus definitions (we will deploy the instance in a public subnet in this example just to keep things simple). A “freshclam” Lambda function will keep the virus database stored on EFS up to date.

Terraform

The Terraform code at aw5academy/terraform/clamav will provision the resources for us.

Deploy the stack by issuing the following commands:

git clone https://gitlab.com/aw5academy/terraform/clamav.git
cd clamav
terraform init
terraform apply

Chef

As part of the Terraform stack we create an EC2 instance. This instance’s user data clones the repository at aw5academy/chef/clamav containing a Chef cookbook which, bootstraps the instance, installing ClamAV, mounting the EFS file system and configuring the virus database to point to a path on the EFS file system.

EC2 Instance

Lets now login to our EC2 instance to test our setup.

SSH into the EC2 instance with:

ssh -i clamav.pem ec2-user@`terraform output ec2-public-ip`

Next verify no virus definitions are present:

clamconf |grep -A 3 "Database information"

As expected, we see none because our Lambda function has not yet executed. So lets invoke the “freshclam” lambda function with:

aws lambda invoke --function-name freshclam /dev/null --region us-east-1

Now verify the virus definitions are present:

clamconf |grep -A 3 "Database information"

As we now have a valid database we can perform a virus scan:

clamscan .bash_profile

Success!

Cleanup

To remove the stack, from your local terminal run:

terraform destroy

Summary

This is just one example of a real world application of EFS with Lambda. I hope you find this article and the sample code useful.

One thought on “Amazon Elastic File System (EFS) Integration With AWS Lambda

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s