aws-lambda-s3 - AWS Solutions Constructs


All classes are under active development and subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Language Package

This AWS Solutions Construct implements an AWS Lambda function connected to an Amazon S3 bucket.

Here is a minimal deployable pattern definition in TypeScript:

import { LambdaToS3 } from '@aws-solutions-constructs/aws-lambda-s3'; new LambdaToS3(this, 'LambdaToS3Pattern', { lambdaFunctionProps: { runtime: lambda.Runtime.NODEJS_10_X, handler: 'index.handler', code: lambda.Code.fromAsset(`${__dirname}/lambda`) } });


new LambdaToS3(scope: Construct, id: string, props: LambdaToS3Props);


Pattern Construct Props

Name Type Description
existingLambdaObj? lambda.Function An optional, existing Lambda function to be used instead of the default function. If an existing function is provided, the lambdaFunctionProps property will be ignored.
lambdaFunctionProps? lambda.FunctionProps Optional user-provided properties to override the default properties for the Lambda function. Ignored if an existingLambdaObj is provided.
existingBucketObj? s3.Bucket An optional, existing bucket to be used instead of the default bucket. If an existing bucket is provided, the bucketProps property will be ignored.
bucketProps? s3.BucketProps Optional user-provided properties to override the default properties for the bucket. Ignored if an existingBucketObj is provided.
bucketPermissions? string[] Optional bucket permissions to grant to the Lambda function. One or more of the following may be specified: Delete, Put, Read, ReadWrite, Write.
existingVpc? ec2.IVpc An optional, existing VPC into which this pattern should be deployed. When deployed in a VPC, the Lambda function will use ENIs in the VPC to access network resources and an Interface Endpoint will be created in the VPC for Amazon SQS. If an existing VPC is provided, the deployVpc property cannot be true. This uses ec2.IVpc to allow clients to supply VPCs that exist outside the stack using the ec2.Vpc.fromLookup() method.
deployVpc? boolean Whether to create a new VPC based on vpcProps into which to deploy this pattern. Setting this to true will deploy the minimal, most private VPC to run the pattern:
  • One isolated subnet in each Availability Zone used by the CDK program.

  • enableDnsHostnames and enableDnsSupport will both be set to true.

If this property is true, then existingVpc cannot be specified. Defaults to false.
vpcProps? ec2.VpcProps Optional user-provided properties to override the default properties for the new VPC. enableDnsHostnames, enableDnsSupport, natGateways and subnetConfiguration are set by the pattern, so any values for those properties supplied here will be overrriden. If deployVpc is not true then this property will be ignored.

Pattern Properties

Name Type Description
lambdaFunction lambda.Function Returns an instance of the Lambda function created by the pattern.
s3Bucket? s3.Bucket Returns an instance of the S3 bucket created by the pattern.
s3LoggingBucket? s3.Bucket Returns an instance of the logging bucket created by the pattern for the S3 bucket.
vpc? ec2.IVpc Returns an instance of the VPC used by the pattern (if any). This may be a VPC created by the pattern or the VPC supplied to the pattern constructor.

Default settings

Out-of-the-box implementation of this pattern without any overrides will set the following defaults:

AWS Lambda Function

  • Configure limited privilege access IAM role for Lambda function.

  • Enable reusing connections with Keep-Alive for NodeJs Lambda function.

  • Enable X-Ray tracing

  • Set environment variables:


    • AWS_NODEJS_CONNECTION_REUSE_ENABLED (for Node 10.x and higher functions)

Amazon S3 Bucket

  • Configure Access logging for S3 Bucket.

  • Enable server-side encryption for S3 Bucket using AWS managed KMS Key.

  • Turn on the versioning for S3 Bucket.

  • Don't allow public access for S3 Bucket.

  • Retain the S3 Bucket when deleting the CloudFormation stack.

  • Enforce encryption of data in transit.

  • Applies lifecycle rule to move noncurrent object versions to Glacier storage after 90 days.



To view the code for this pattern, create/view issues and pull requests, and more: