AWS Lambda function triggered by S3 Object Put events that monitors the owner of newly created objects and modifies the account owner if the file was written by an account other then the bucket owner.
When serving private S3 content via Cloudfront, and origin accesss idenity, all objects must be owned by the primary bucket account. However, files written by other accounts, even when granting the bucket-owner-full-control
ACL, are not owned by the primary account. This script corrects the problem by modifying the owner to be the primary bucket account.
This script is particularly useful if using cloudfront-auth.
- Create AWS Lambda function and upload/copy index.js
- Add IAM policy with the following permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucket*",
"s3:GetObject*",
"s3:DeleteObject*",
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::{YOUR_S3_BUCKET_NAME}/*"
}
]
}
- Under configuration, add an S3 trigger
- Select your bucket (same as specified in the IAM policy)
- Under event type, select PUT
- Create trigger and save
- Function will now be activated when objects are added to the specified bucket with a PUT event.