Creating a Serverless Function to Notify You of an S3 Bucket Creation
using Cloudwatch Events, Lambda, S3, and SNS
use case: Your company’s AWS account is close to the maximum of S3 buckets allowed. Every time an AWS bucket is created you want to be notified to evaluate whether the bucket is needed/approved.
Preparation:
This may be obvious but we will be doing this lab in AWS so you will need an account and possibly with admin privileges to allow you to assign open permissions in IAM.
Let’s get started by navigating to the IAM service in AWS and create a role choosing the lambda service.
For this example, we will be providing full access to the following services: S3, SNS, Lambda, and Cloudwatch. If you are in a production environment I highly recommend tightening up these permissions as all services do not require full access to accomplish this lab. I encourage you to try out different policies to see which is the least privilege needed to execute this lab.
Navigate to the next screen by clicking next permissions. In the below frame, search for each service (SNS, S3, and Cloudwatch) except lambda since we choose the role for lambda specifically
Click Next on tags and name the role and remember this as we will need it for the lambda function.
Next, let's navigate to the Lambda service and create our lambda function from scratch using python 3.7 as our runtime.
Since we created an IAM role and assigned the necessary permissions for all services involved, we will use an already existing role. Then click, create function.
Once you have navigated to the next screen we will enter the below code in the lambda_function.py file. Then click Deploy.
import boto3client = boto3.client('sns')
client.publish(
TopicArn='arn:aws:sns:<enter-region>:<aws account number>:<name you gave your function>',
Message="<enter to the message how you want it to appear",
Subject="<this is only needed for email protocol")
SNS is next up on the list to set up and we will do this from the command line following this documentation found in was documentation.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/US_SetupSNS.html
aws sns create-topic --name my-topicaws sns subscribe --topic-arn arn:aws:sns:<enter-region>:<enter-account#>:my-topic --protocol email --notification-endpoint example@example.com
If you want to send a test message:
aws sns publish --message "Verification" --topic arn:aws:sns:us-east-1:111122223333:my-topicAlmost there…
Navigate to Cloudwatch and click on Events on the left-hand side, click on create rule.
Under service name choose s3, under event type select bucket operations. Then select specific operations and choose CreatBucket. On the right-hand side of the screen select the target as a lambda function and choose the name of your lambda function.
You could very well skip the lambda function step and make the target your sns function name you created in the command line. You will receive the email upon bucket creation and a nice and hectic JSON format.
Lastly, navigate to the AWS S3 service and create a bucket. Do not select any of the options as we will not be putting anything in the bucket on this lab, click all of the prompts until you see the bucket create.
You should receive an email within 10 seconds with the message, and subject from the email you provided in the SNS topic set up.
In this short example, you were able to tie 4 different AWS services together and execute an event-based, serverless function to notify you and/or your team of an S3 bucket that was created.
