Added feature to allow for clean scanned file to copied to new bucket.

README.md

@@ -236,6 +236,28 @@ definitions. If your bucket is `s3://my-bucket`, the value should be `my-bucket`
 13. Save the function.  Testing is easiest performed by uploading a
 file to the bucket configured as the trigger in step 4.
 
+**NOTE**
+If you wish the have the files tagged as CLEAN copied to a new bucket you will
+need to include the following policy in the role created in Step 6.
+
+   ```json
+      {
+         "Sid":"s3CleanBucketCopy",
+            "Action":[
+               "s3:PutObject",
+               "s3:PutObjectTagging",
+               "s3:PutObjectVersion",
+               "s3:GetObject",
+               "s3:GetObjectTagging",
+               "s3:GetObjectVersionTagging"
+            ],
+            "Effect":"Allow",
+            "Resource": [
+               "arn:aws:s3:::<clean-bucket-name>/*"
+            ]
+      }
+   ```
+
 ### S3 Events
 
 Configure scanning of additional buckets by adding a new S3 event to
@@ -257,6 +279,7 @@ the table below for reference.
 | Variable | Description | Default | Required |
 | --- | --- | --- | --- |
 | AV_DEFINITION_S3_BUCKET | Bucket containing antivirus definition files |  | Yes |
+| AV_DEFINITION_S3_CLEAN_BUCKET | Bucket to copy clean files once scanned. |  | No |
 | AV_DEFINITION_S3_PREFIX | Prefix for antivirus definition files | clamav_defs | No |
 | AV_DEFINITION_PATH | Path containing files at runtime | /tmp/clamav_defs | No |
 | AV_SCAN_START_SNS_ARN | SNS topic ARN to publish notification about start of scan | | No |

common.py

@@ -19,6 +19,7 @@
 import os.path
 
 AV_DEFINITION_S3_BUCKET = os.getenv("AV_DEFINITION_S3_BUCKET")
+AV_DEFINITION_S3_CLEAN_BUCKET = os.getenv("AV_DEFINITION_S3_CLEAN_BUCKET")
 AV_DEFINITION_S3_PREFIX = os.getenv("AV_DEFINITION_S3_PREFIX", "clamav_defs")
 AV_DEFINITION_PATH = os.getenv("AV_DEFINITION_PATH", "/tmp/clamav_defs")
 AV_SCAN_START_SNS_ARN = os.getenv("AV_SCAN_START_SNS_ARN")

scan.py

@@ -24,6 +24,7 @@
 import clamav
 import metrics
 from common import AV_DEFINITION_S3_BUCKET
+from common import AV_DEFINITION_S3_CLEAN_BUCKET
 from common import AV_DEFINITION_S3_PREFIX
 from common import AV_DELETE_INFECTED_FILES
 from common import AV_PROCESS_ORIGINAL_VERSION_ONLY
@@ -149,6 +150,16 @@ def set_av_tags(s3_client, s3_object, scan_result, scan_signature, timestamp):
         Bucket=s3_object.bucket_name, Key=s3_object.key, Tagging={"TagSet": new_tags}
     )
 
+def copy_clean_file(s3, s3_object):
+    copy_source = {
+        "Bucket": s3_object.bucket_name,
+        "Key": s3_object.key
+    }
+
+    bucket = s3.Bucket(AV_DEFINITION_S3_CLEAN_BUCKET)
+    obj = bucket.Object(s3_object.key)
+    obj.copy(copy_source)
+
 
 def sns_start_scan(sns_client, s3_object, scan_start_sns_arn, timestamp):
     message = {
@@ -245,6 +256,11 @@ def lambda_handler(event, context):
         set_av_metadata(s3_object, scan_result, scan_signature, result_time)
     set_av_tags(s3_client, s3_object, scan_result, scan_signature, result_time)
 
+    # Move clean files to a new bucket specified by an enviornment variable if specified
+    if AV_DEFINITION_S3_CLEAN_BUCKET not in [None, ""] and scan_result == AV_STATUS_CLEAN:
+        copy_clean_file(s3, s3_object)
+        print("Copied %s to clean bucket location." %s3_object.key)
+
     # Publish the scan results
     if AV_STATUS_SNS_ARN not in [None, ""]:
         sns_scan_results(

scripts/run-scan-lambda

@@ -27,6 +27,7 @@ NAME="antivirus-scan"
 docker run --rm \
   -v "$(pwd)/tmp/:/var/task" \
   -e AV_DEFINITION_S3_BUCKET \
+  -e AV_DEFINITION_S3_CLEAN_BUCKET \
   -e AV_DEFINITION_S3_PREFIX \
   -e AV_DELETE_INFECTED_FILES \
   -e AV_PROCESS_ORIGINAL_VERSION_ONLY \

scripts/run-update-lambda

@@ -15,6 +15,7 @@ docker run --rm \
   -v "$(pwd)/tmp/:/var/task" \
   -e AV_DEFINITION_PATH \
   -e AV_DEFINITION_S3_BUCKET \
+  -e AV_DEFINITION_S3_CLEAN_BUCKET \
   -e AV_DEFINITION_S3_PREFIX \
   -e AWS_ACCESS_KEY_ID \
   -e AWS_DEFAULT_REGION \