aws-lambda-s3 - AWS Solutions Constructs
OverviewPattern Construct PropsPattern PropertiesDefault settingsArchitectureGitHub

aws-lambda-s3

Two labels: "CFN-RESOURCES" in gray and "STABLE" in green.
Language Package
Python Logo Python aws_solutions_constructs.aws_lambda_s3
Typescript Logo Typescript @aws-solutions-constructs/aws-lambda-s3
Java Logo Java software.amazon.awsconstructs.services.lambdas3

Overview

This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon S3 bucket.

Here is a minimal deployable pattern definition :

Typescript

import { Construct } from 'constructs';
import { Stack, StackProps } from 'aws-cdk-lib';
import { LambdaToS3 } from '@aws-solutions-constructs/aws-lambda-s3';
import * as lambda from 'aws-cdk-lib/aws-lambda';

new LambdaToS3(this, 'LambdaToS3Pattern', {
    lambdaFunctionProps: {
        runtime: lambda.Runtime.NODEJS_16_X,
        handler: 'index.handler',
        code: lambda.Code.fromAsset(`lambda`)
    }
});
Python

from aws_solutions_constructs.aws_lambda_s3 import LambdaToS3
from aws_cdk import (
    aws_lambda as _lambda,
    Stack
)
from constructs import Construct

LambdaToS3(self, 'LambdaToS3Pattern',
        lambda_function_props=_lambda.FunctionProps(
            code=_lambda.Code.from_asset('lambda'),
            runtime=_lambda.Runtime.PYTHON_3_9,
            handler='index.handler'
        )
        )
Java

import software.constructs.Construct;

import software.amazon.awscdk.Stack;
import software.amazon.awscdk.StackProps;
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.lambda.Runtime;
import software.amazon.awsconstructs.services.lambdas3.*;

new LambdaToS3(this, "LambdaToS3Pattern", new LambdaToS3Props.Builder()
        .lambdaFunctionProps(new FunctionProps.Builder()
                .runtime(Runtime.NODEJS_16_X)
                .code(Code.fromAsset("lambda"))
                .handler("index.handler")
                .build())
        .build());

Pattern Construct Props

Name Type Description
existingLambdaObj? lambda.Function Existing instance of Lambda Function object, providing both this and lambdaFunctionProps will cause an error.
lambdaFunctionProps? lambda.FunctionProps Optional user provided props to override the default props for the Lambda function.
existingBucketObj? s3.IBucket Existing instance of S3 Bucket object. If this is provided, then also providing bucketProps is an error.
bucketProps? s3.BucketProps Optional user provided props to override the default props for the S3 Bucket.
bucketPermissions? string[] Optional bucket permissions to grant to the Lambda function. One or more of the following may be specified: Delete, Put, Read, ReadWrite, Write.
existingVpc? ec2.IVpc An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon S3. If an existing VPC is provided, the deployVpc property cannot be true. This uses ec2.IVpc to allow clients to supply VPCs that exist outside the stack using the ec2.Vpc.fromLookup() method.
vpcProps? ec2.VpcProps Optional user provided properties to override the default properties for the new VPC. enableDnsHostnames, enableDnsSupport, natGateways and subnetConfiguration are set by the pattern, so any values for those properties supplied here will be overridden. If deployVpc is not true then this property will be ignored.
deployVpc? boolean Whether to create a new VPC based on vpcProps into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern:
bucketEnvironmentVariableName? string Optional Name for the Lambda function environment variable set to the name of the bucket. Default: S3_BUCKET_NAME
loggingBucketProps? s3.BucketProps Optional user provided props to override the default props for the S3 Logging Bucket.
logS3AccessLogs? boolean Whether to turn on Access Logging for the S3 bucket. Creates an S3 bucket with associated storage costs for the logs. Enabling Access Logging is a best practice. default - true

Pattern Properties

Name Type Description
lambdaFunction lambda.Function Returns an instance of the Lambda function created by the pattern.
s3Bucket? s3.Bucket Returns an instance of the S3 bucket created by the pattern.
s3LoggingBucket? s3.Bucket Returns an instance of s3.Bucket created by the construct as the logging bucket for the primary bucket.
vpc? ec2.IVpc Returns an interface on the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor.
s3BucketInterface s3.IBucket Returns an instance of s3.IBucket created by the construct.

Default settings

Out of the box implementation of the Construct without any override will set the following defaults:

AWS Lambda Function

  • Configure limited privilege access IAM role for Lambda function

  • Enable reusing connections with Keep-Alive for NodeJs Lambda function

  • Enable X-Ray Tracing

  • Set Environment Variables

    • (default) S3_BUCKET_NAME

    • AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 10.x and higher functions)

Amazon S3 Bucket

  • Configure Access logging for S3 Bucket

  • Enable server-side encryption for S3 Bucket using AWS managed KMS Key

  • Enforce encryption of data in transit

  • Turn on the versioning for S3 Bucket

  • Don’t allow public access for S3 Bucket

  • Retain the S3 Bucket when deleting the CloudFormation stack

  • Applies Lifecycle rule to move noncurrent object versions to Glacier storage after 90 days

Architecture

AWS Lambda function interacting with Amazon S3 bucket, mediated by an IAM role.

GitHub

To view the code for this pattern, create/view issues and pull requests, and more:
Circular icon with a graduation cap symbol representing education or learning.
@aws-solutions-constructs/aws-lambda-s3