aws-s3-stepfunctions - AWS Solutions Constructs
OverviewPattern Construct PropsPattern PropertiesDefault settingsArchitectureGitHub

aws-s3-stepfunctions

Two labels: "STABILITY" in gray and "EXPERIMENTAL" in orange.
Language Package
Python Logo Python aws_solutions_constructs.aws_s3_stepfunctions
Typescript Logo Typescript @aws-solutions-constructs/aws-s3-stepfunctions
Java Logo Java software.amazon.awsconstructs.services.s3stepfunctions

Overview

This AWS Solutions Construct implements an Amazon S3 bucket connected to an AWS Step Functions.

Note - This constructs sends S3 Event Notification to EventBridge, then triggers AWS Step Functions State Machine executions from EventBridge.

An alternative architecture can be built that triggers a Lambda function from S3 Event notifications using aws-s3-lambda and aws-lambda-stepfunctions. Channelling the S3 events through Lambda is less flexible than EventBridge, but is more cost effective and has lower latency.

Here is a minimal deployable pattern definition:

Typescript

import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { S3ToStepfunctions, S3ToStepfunctionsProps } from '@aws-solutions-constructs/aws-s3-stepfunctions';
import * as stepfunctions from 'aws-cdk-lib/aws-stepfunctions';

const startState = new stepfunctions.Pass(this, 'StartState');

new S3ToStepfunctions(this, 'test-s3-stepfunctions-stack', {
    stateMachineProps: {
      definition: startState
    }
});
Python

from aws_solutions_constructs.aws_s3_stepfunctions import S3ToStepfunctions
from aws_cdk import (
    aws_stepfunctions as stepfunctions,
    Stack
)
from constructs import Construct

start_state = stepfunctions.Pass(self, 'start_state')

S3ToStepfunctions(
    self, 'test_s3_stepfunctions_stack',
    state_machine_props=stepfunctions.StateMachineProps(
        definition=start_state)
)
Java

import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.stepfunctions.*;
import software.amazon.awsconstructs.services.s3stepfunctions.*;

final Pass startState = new Pass(this, "StartState");

new S3ToStepfunctions(this, "test_s3_stepfunctions_stack",
        new S3ToStepfunctionsProps.Builder()
                .stateMachineProps(new StateMachineProps.Builder()
                        .definition(startState)
                        .build())
                .build());

Pattern Construct Props

Name Type Description
existingBucketObj? s3.IBucket Existing instance of S3 Bucket object. If this is provided, then also providing bucketProps is an error. The existing bucket must have EventBridge enabled for this to work.
bucketProps? s3.BucketProps Optional user provided props to override the default props for the S3 Bucket.
stateMachineProps sfn.StateMachineProps User provided props to override the default props for sfn.StateMachine.
eventRuleProps? events.RuleProps Optional user provided eventRuleProps to override the defaults.
deployCloudTrail? boolean Whether to deploy a Trail in AWS CloudTrail to log API events in Amazon S3. Defaults to true. This is now deprecated and ignored because the construct no longer needs CloudTrail since it uses S3 Event Notifications.
createCloudWatchAlarms boolean Whether to create recommended CloudWatch alarms.
logGroupProps? logs.LogGroupProps Optional user provided props to override the default props for for the CloudWatchLogs LogGroup.
loggingBucketProps? s3.BucketProps Optional user provided props to override the default props for the S3 Logging Bucket.
logS3AccessLogs? boolean Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true

Pattern Properties

Name Type Description
stateMachine sfn.StateMachine Returns an instance of sfn.StateMachine created by the construct.
stateMachineLogGroup logs.ILogGroup Returns an instance of the ILogGroup created by the construct for StateMachine.
cloudwatchAlarms? cloudwatch.Alarm[] Returns a list of cloudwatch.Alarm created by the construct.
s3Bucket? s3.Bucket Returns an instance of the s3.Bucket created by the construct.
s3LoggingBucket? s3.Bucket Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket.
s3BucketInterface s3.IBucket Returns an instance of s3.IBucket created by the construct.

Note - with the release of Enable EventBridge for Amazon S3, AWS CloudTrail is no longer required to implement this construct. Because of this, the following properties have been removed: - cloudtrail - cloudtrailBucket - cloudtrailLoggingBucket

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

Amazon S3 Bucket

  • Enable EventBridge to send events from the S3 Bucket

  • Configure Access logging for S3 Bucket

  • Enable server-side encryption for S3 Bucket using AWS managed KMS Key

  • Enforce encryption of data in transit

  • Turn on the versioning for S3 Bucket

  • Don’t allow public access for S3 Bucket

  • Retain the S3 Bucket when deleting the CloudFormation stack

  • Applies Lifecycle Rule to move noncurrent object versions to Glacier storage after 90 days

AWS S3 Event Notification

  • Enable S3 to send events to EventBridge when an object is created.

Amazon CloudWatch Events Rule

  • Grant least privilege permissions to CloudWatch Events to trigger the Lambda Function

AWS Step Functions

  • Enable CloudWatch logging for API Gateway

  • Deploy best practices CloudWatch Alarms for the Step Functions

Architecture

AWS architecture diagram showing S3 bucket, EventBridge rule, Step Functions, and CloudWatch integration.

GitHub

To view the code for this pattern, create/view issues and pull requests, and more:
Circular icon with a graduation cap symbol representing education or learning.
@aws-solutions-constructs/aws-s3-stepfunctions