Menu
AWS Lambda
Developer Guide

Step 3: Add Event Source (Configure Amazon S3 to Publish Events)

In this section, you add the remaining configuration so Amazon S3 can publish object-created events to AWS Lambda and invoke your Lambda function. You will do the following:

  • Add permissions to the Lambda function's access policy to allow Amazon S3 to invoke the function.

  • Add notification configuration to your source bucket. In the notification configuration, you provide the following:

    • Event type for which you want Amazon S3 to publish events. For this tutorial, you specify the s3:ObjectCreated:* event type.

    • Lambda function to invoke.

Step 3.1: Add Permissions to the Lambda Function's Access Permissions Policy

  1. Run the following Lambda CLI add-permission command to grant Amazon S3 service principal (s3.amazonaws.com) permissions to perform the lambda:InvokeFunction action. Note that permission is granted to Amazon S3 to invoke the function only if the following conditions are met:

    • An object-created event is detected on a specific bucket.

    • The bucket is owned by a specific AWS account. If a bucket owner deletes a bucket, some other AWS account can create a bucket with the same name. This condition ensures that only a specific AWS account can invoke your Lambda function.

    Copy
    $ aws lambda add-permission \ --function-name CloudTrailEventProcessing \ --region us-west-2 \ --statement-id Id-1 \ --action "lambda:InvokeFunction" \ --principal s3.amazonaws.com \ --source-arn arn:aws:s3:::examplebucket \ --source-account examplebucket-owner-account-id \ --profile adminuser
  2. Verify the function's access policy by running the AWS CLI get-policy command.

    Copy
    $ aws lambda get-policy \ --function-name function-name \ --profile adminuser

Step 3.2: Configure Notification on the Bucket

Add notification configuration on the examplebucket to request Amazon S3 to publish object-created events to Lambda. In the configuration, you specify the following:

  • Event type – For this tutorial, these can be any event types that create objects.

  • Lambda function ARN – This is your Lambda function that you want Amazon S3 to invoke. The ARN is of the following form:

    Copy
    arn:aws:lambda:aws-region:account-id:function:function-name

    For example, the function CloudTrailEventProcessing created in us-west-2 region has the following ARN:

    Copy
    arn:aws:lambda:us-west-2:account-id:function:CloudTrailEventProcessing

For instructions on adding notification configuration to a bucket, see Enabling Event Notifications in the Amazon Simple Storage Service Console User Guide.

Step 3.3: Test the Setup

You're all done! Now you can test the setup as follows:

  1. Perform some action in your AWS account. For example, add another topic in the Amazon SNS console.

  2. You receive an email notification about this event.

  3. AWS CloudTrail creates a log object in your bucket.

  4. If you open the log object (.gz file), the log shows the CreateTopic SNS event.

  5. For each object AWS CloudTrail creates, Amazon S3 invokes your Lambda function by passing in the log object as event data.

  6. Lambda executes your function. The function parses the log, finds a CreateTopic SNS event, and then you receive an email notification.

    You can monitor the activity of your Lambda function by using CloudWatch metrics and logs. For more information about CloudWatch monitoring, see Troubleshooting and Monitoring AWS Lambda Functions with Amazon CloudWatch.