Skip to content

AWS Lambda function triggered by S3 Object Put events that asserts all created objects are owned by the bucket owner.

Notifications You must be signed in to change notification settings

Widen/s3-object-owner-monitor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 

Repository files navigation

S3 Object Owner Monitor

AWS Lambda function triggered by S3 Object Put events that monitors the owner of newly created objects and modifies the account owner if the file was written by an account other then the bucket owner.

Common Use Case

When serving private S3 content via Cloudfront, and origin accesss idenity, all objects must be owned by the primary bucket account. However, files written by other accounts, even when granting the bucket-owner-full-control ACL, are not owned by the primary account. This script corrects the problem by modifying the owner to be the primary bucket account.

This script is particularly useful if using cloudfront-auth.

Setup

  1. Create AWS Lambda function and upload/copy index.js
  2. Add IAM policy with the following permissions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucket*",
                "s3:GetObject*",
                "s3:DeleteObject*",
                "s3:PutObject*"
            ],
            "Resource": "arn:aws:s3:::{YOUR_S3_BUCKET_NAME}/*"
        }
    ]
}
  1. Under configuration, add an S3 trigger
    1. Select your bucket (same as specified in the IAM policy)
    2. Under event type, select PUT
    3. Create trigger and save
  2. Function will now be activated when objects are added to the specified bucket with a PUT event.

About

AWS Lambda function triggered by S3 Object Put events that asserts all created objects are owned by the bucket owner.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published