This example deploys a stack to leverage Sophos Intelix via Lambda to check files being uploaded to an S3 bucket for malware.
SophosLabs Intelix is available on AWS marketplace, details (including how to sign up) can be found here.
This lambda function, when deployed into your AWS environment will trigger on write actions into an S3 bucket. This means that the lambda function will trigger every time a file is added to the bucket. Each of the Intelix services will be called in turn (File Hash Lookup, Static Analysis, Dynamic Analysis) until a verdict (Clean or Malicious) is determined. If the file is malicious it is removed from the bucket.
The code requires your Intelix credentials to be available as an environment variable.
- AWS CDK is used to deploy via infrastructure as code
- AWS Lambda is used to execute a serverless python function to query the Sophos Intelix API
- AWS S3 is used for our file object storage
- Sophos Intelix is used via API for File Hash Lookup, Static Analysis and Dynamic Analysis to determine if a file is clean or malicious
- Install git
- An AWS account
- AWS CLI
- AWS CLI configured
- AWS CDK
See the AWS CDK Getting started guide for more info.
npm install -g aws-cdk
CDK will pull from your AWS CLI credentials, ensure you have credentials configured along with a default region.
aws configure
git clone https://github.com/sophoslabs/intelix-lambda-example.git
cd intelix-lambda-example
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
pip3 install requests -t ./resources
cdk bootstrap
Register for Intelix and receive API credentials: https://aws.amazon.com/marketplace/pp/B07SLZPMCS
In our example, we will use a Lambda environment variable to pass our Intelix Credentials to Lambda. In a production setup, you may prefer to use AWS Secrets Manager to securely store your credentials.
Edit the file:
cdk_intelix_lambda/intelix_lambda_service.py
Add your base64 encoded Intelix credentials to the line containing:
INTELIX_CREDENTIALS="<YOUR BASE64 CODED CLIENT_ID:CLIENT_SECRET>"
cdk synth
cdk deploy
This repo is setup to use Gitpod. This will ensure your environment is configured with the required packages / dependancies etc.
To run the tests for this repo:
- Ensure that you have provided your Intelix key in the form ready to be sent to the login function as an environment variable (INTELIX_CREDENTIALS). (Details of the format are available in the Intelix docs)
- Run (in the root directory of the repo)
pytest
Copyright (c) 2021. Sophos Limited