diff --git a/aws/client.go b/aws/client.go
index d7bcb9ee0..a762268a6 100644
--- a/aws/client.go
+++ b/aws/client.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+	"compress/gzip"
 	"context"
 	"encoding/xml"
 	"fmt"
@@ -150,15 +151,30 @@ func (c *Client) Updates(ctx context.Context) (io.ReadCloser, error) {
 			tf.Close()
 			return nil, err
 		}
+		gz, err := gzip.NewReader(tf)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create gzip reader: %v", err)
+		}
 
 		log.Debug().Msg("success")
-		return tf, nil
+		return &gzippedFile{
+			Reader: gz,
+			Closer: tf,
+		}, nil
 	}
 
 	log.Error().Msg("exhausted all mirrors")
 	return nil, fmt.Errorf("all update_info mirrors failed to return a response")
 }
 
+// gzippedFile implements io.ReadCloser by proxying calls to different
+// underlying implementations. This is used to make sure the file that backs the
+// downloaded security database has Close called on it.
+type gzippedFile struct {
+	io.Reader
+	io.Closer
+}
+
 func (c *Client) getMirrors(ctx context.Context, release Release) error {
 	var (
 		req *http.Request
diff --git a/aws/updater.go b/aws/updater.go
index 3cc519c72..79164e817 100644
--- a/aws/updater.go
+++ b/aws/updater.go
@@ -1,12 +1,10 @@
 package aws
 
 import (
-	"compress/gzip"
 	"context"
 	"encoding/xml"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"strings"
 	"time"
 
@@ -59,12 +57,6 @@ func (u *Updater) Fetch(ctx context.Context, fingerprint driver.Fingerprint) (io
 		return nil, "", fmt.Errorf("failed to retrieve update info: %v", err)
 	}
 
-	gzip, err := gzip.NewReader(rc)
-	if err != nil {
-		return nil, "", fmt.Errorf("failed to create gzip reader: %v", err)
-	}
-	rc = ioutil.NopCloser(gzip)
-
 	return rc, driver.Fingerprint(updatesRepoMD.Checksum.Sum), nil
 }