π Introduction
π‘ Brief overview of what you’re setting up and its purpose
This guide outlines how to configure an AWS Lambda function in Account A to upload objects into an S3 bucket located in Account B. This setup enables secure cross-account data transfer, leveraging IAM roles for access control and eliminating the need for hardcoded credentials or sts:AssumeRole calls within the Lambda function code.
π₯ Target audience
This guide is intended for AWS administrators and developers who need to implement cross-account S3 uploads using AWS Lambda and IAM roles.
Prerequisites and requirements
- AWS Account A (source) and Account B (target).
- An S3 bucket named “your-s3-bucket” in Account B.
- An AWS Lambda function in Account A.
- Basic understanding of IAM roles, policies, and S3 permissions.
π Step-by-Step Setup
Step 1: Configure S3 Bucket Policy in Account B
- 1. Navigate to the S3 console in Account B.
- 2. Select the “your-s3-bucket” bucket.
- 3. Go to the “Permissions” tab.
- 4. Edit the “Bucket policy.”
- 5. Replace the existing policy (if any) with the following, replacing
[AccountA-Lambda-Execution-Role-ARN]with the ARN of your lambda execution role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaAccountA",
"Effect": "Allow",
"Principal": {
"AWS": "[AccountA-Lambda-Execution-Role-ARN]"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-s3-bucket/*"
}
]
}- 6. Save the policy.
Step 2: Configure Lambda Execution Role in Account A
- 1. Navigate to the IAM console in Account A.
- 2. Select the IAM role attached to your Lambda function.
- 3. Attach an inline policy or a managed policy with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-s3-bucket/*"
}
]
}
- 4. Ensure the trust relationship of the role includes:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}- Save the role.
Step 3: Update Lambda Function Code
- Update your Lambda function code in Account A with the following Python example:
import boto3
def lambda_handler(event, context):
try:
account_b_bucket_name = 'your-s3-bucket'
object_key = 'payload.json'
file_content = 'This file was uploaded from Lambda in Account A.'
s3_client = boto3.client('s3')
s3_client.put_object(
Bucket=account_b_bucket_name,
Key=object_key,
Body=file_content
)
return {
'statusCode': 200,
'body': 'File uploaded successfully to Account B S3 bucket.'
}
except Exception as e:
print(f"Error: {e}")
return {
'statusCode': 500,
'body': f'Error uploading file: {e}'
}- Deploy the updated Lambda function.
π§ͺ Verification and Testing
β How to confirm the setup is successful
- Check the “your-s3-bucket” S3 bucket in Account B for the uploaded file.
- Review Lambda function logs in CloudWatch for successful execution.
π¬ Basic testing procedures
- Create a test event in the Lambda console.
- Invoke the Lambda function.
- Verify the file upload in the S3 bucket.
- Check CloudWatch logs for any errors.
Post-Setup Configuration
βοΈ Optional configuration steps
- Configure S3 lifecycle policies in Account B for object versioning or deletion.
- Set up S3 event notifications in Account B to trigger other processes.
π Security hardening
- Follow the principle of least privilege for IAM roles and policies.
- Enable S3 encryption.
π Performance tuning
- Optimize Lambda function code for efficiency.
- Consider S3 transfer acceleration if needed.
π Conclusion
Summary of the setup process
This guide successfully configured a Lambda function in Account A to upload objects to an S3 bucket in Account B using IAM roles for secure cross-account access.
βοΈ Next steps and further resources
- Explore advanced S3 features and configurations.
- Implement error handling and retry mechanisms in the Lambda function.
- Monitor Lambda function performance and S3 usage.