One of the aspects of AWS Lambda1 that makes it excepent is that Lambda is used to extend other services offered by AWS. In this example we will set up Lambda to use Server Side Encryption for any object uploaded to AWS S31.
The first task we have is to write the lambda function. Below we have the Python code that will read in the metadata about the object that was uploaded and copy it to the same path in the same S3 bucket if SSE is not enabled.
Now that we have out lambda function written we need to create the lambda function inside AWS. The following commands will create the AWS role for Lambda. We first need to create two files. The first is the Trust Policy for the IAM role that will allow Lambda to assume the role.
The second file will be the permissions that go along with the role. Note that these permissions give full access to the bucket. Use with caution.
Now that we have those two files, refered from here on as trust.json and permissions.json, we can run the commands to create the role and the lambda function.
Now that we’ve created the role for Lambda to use we can create the function. We’ll need to ZIP up the code and then upload it for Lambda to run. We will also need to the role ARN from above when we create the function.
Next we need to configure both Lambda and S3 to handle notifying Lambda when an object is places in an S3 bucket. We will need another JSON file, policy.json, with the following content that will allow the Lambda Function to access objects in the S3 bucket.
That’s everything that’s needed. You should be able to upload an object to the S3 bucket and it will be re-uploaded with Server Side Encryption. Go ahead and give it a try and let me know what you think in the comments below. If you have an questions or issues leave a comment or reach out to me on twitter.