An AWS Lambda function to encrypt S3 objects using server-side AES256 encryption as they are added to the bucket.
Create an IAM role with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1430872797000",
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1430872844000",
"Effect": "Allow",
"Action": [
"cloudwatch:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1430872852000",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
}
]
}- Clone this repo
git clone [email protected]:eleven41/aws-lambda-encrypt-s3-objects.git
cd aws-lambda-encrypt-s3-objects
- Install requirements
npm install async
npm install aws-sdk
- Zip up the folder using your favourite zipping utility
- Create a new Lambda function.
- Upload the ZIP package for the lambda function using
index.handleras the handler. - Add an event source to your Lambda function:
- Event Source Type: S3
- Bucket: your source bucket
- Event Type: Object Created
- Set your Lambda function to execute using the IAM role you created above.
At this point, if you upload a file to your source bucket, the file should be converted to AES256 encryption if it isn't already encrypted.
Configuration is performed by setting tags on the bucket.
| Tag Name | Notes |
|---|---|
| SetReducedRedundancy | Set to 'Yes' to use reduced redundancy for the object. |
Lambda will invoke this function twice for each file uploaded:
- Once for the true upload, and
- A second time because we've modified the file.