By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

auto update lambda layer

0

Hi team,

I am using a lambda function for file virus scans with ClamAV as a lambda layer,

I'm wondering if it is possible to auto-upgrade the ClamAV, so that lambda uses the latest version of ClamAV each time.

is there any other best way to do a virus scan with ClamAV a part using ClamAv as a lambda layer?

maybe using lambda container images with a docker file, but how can we make sure that clamav is up to date

Thank you :)

Topics
ServerlessStorageComputeMicroservicesAWS Well-Architected Framework
Tags
ServerlessAmazon Simple Storage ServiceAWS LambdaMicroservicesSecurity
Language
English
JessDL
asked 8 months ago619 views
2 Answers
1

Hello,

From your query, I could understand that you want to auto-update Lambda layer such that the Lambda function makes use of the Latest version of ClamAV dependency.

I would like to inform that, when adding a layer to the lambda function, we need to specify which version of the layer to use. Unfortunately, we do not get $LATEST version with Lambda layer with which we can tell Lambda service to use latest version of a layer. Instead, we need to publish new version for every update of the Layer which is also mentioned in the documentation [1] below.

[1] Working with Lambda layers - https://docs.aws.amazon.com/lambda/latest/dg/chapter-layers.html#lambda-layer-versions

To quote the above article, kindly note that the Lambda Layers are versioned, and the content of each layer version is immutable. The layer owner can release a new layer version to provide updated content.

Currently, there is no way to configure a lambda function to include the updated versions of the layers automatically. This is to ensure that the function doesn't run into any issues if in case there is any inaccuracy in the updated layer version as this would break the lambda function. Considering this, it is always recommended to test the updated dependent packages of the lambda function and then update the function configuration to include the latest version of the layer.

Additionally, I found below third party link [2] which also talks about the same scenario and it mentions some possible workarounds. Kindly note that, AWS does not endorse any third party link, however, this is shared only for reference purpose.

[2] https://stackoverflow.com/questions/62979100/configure-aws-lambda-function-to-use-latest-version-of-a-layer

AWS
Akanksha_T
answered 8 months ago
profile pictureAWS
EXPERT
Brettski-AWS
reviewed 8 months ago
0

Have you looked into downloading ClamAV definitions into a S3 bucket as per the following article.

https://aws.amazon.com/blogs/developer/virus-scan-s3-buckets-with-a-serverless-clamav-based-cdk-construct/

Creates an hourly job to download the latest ClamAV definition files to the Virus Definitions S3 Bucket by utilizing an Amazon EventBridge rule and a Lambda function

profile picture
EXPERT
Gary Mclean
answered 8 months ago
  • JessDL
    8 months ago

    Thank you for your answer! as far as I understood this is to update the virus scan definition not the ClamAV version itself

  • Gary Mclean EXPERT
    8 months ago

    That is correct. I’d be more concerned about auto updating the definitions than clamav it’s self because it’s the definitions that are important for detecting viruses.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content