##################################################################### # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: MIT-0 ##################################################################### Description: > Use this template to get started with Amazon S3 Object Lambda and automate the setup process. This template creates relevant resources, configures IAM roles, and sets up a Lambda function that handles requests through an S3 Object Lambda Access Point. You can implement best practices, improve your security posture, reduce errors caused by manual processes, and focus on innovation and implementing business logic instead of managing the setup process. Mappings: LambdaRuntimeHandlerMapping: nodejs14.x: handler: s3objectlambda.handler python3.9: handler: s3objectlambda.handler java11: handler: com.example.s3objectlambda.Handler::handleRequest Parameters: S3BucketName: Type: String Description: > An Amazon S3 bucket name to use with S3 Object Lambda. The bucket should exist in the same AWS account and AWS Region that will deploy this template. The bucket should also delegate access control to access points. ObjectLambdaAccessPointName: Type: String Description: Name of the Amazon S3 Object Lambda Access Point. CreateNewSupportingAccessPoint: Type: String Description: Flag that indicates a new supporting Access Point should be created. Default: false AllowedValues: [true, false] SupportingAccessPointName: Type: String Description: Name of the Amazon S3 Access Point associated with the S3 bucket passed in the S3BucketName parameter. LambdaFunctionS3BucketName: Type: String Description: > Name of the Amazon S3 bucket where you have uploaded the Lambda function deployment package. The bucket should be in the same AWS Region as your function, but can be in a different AWS account. LambdaFunctionS3Key: Type: String Description: The Amazon S3 key of the Lambda function deployment package. LambdaFunctionS3ObjectVersion: Type: String Description: The version id of the Lambda function deployment package object stored in Amazon S3. LambdaFunctionPayload: Type: String Default: "" Description: An optional static payload that provides supplemental data to the Lambda function used to transform objects. LambdaFunctionRuntime: Type: String AllowedValues: [ nodejs14.x, python3.9, java11 ] Description: Identifier for the Lambda function runtime EnableCloudWatchMonitoring: Type: String Description: > Flag to enable CloudWatch request metrics from S3 Object Lambda. This also creates CloudWatch alarms to monitor the request metrics. Default: false AllowedValues: [ true, false ] Conditions: ShouldCreateNewSupportingAccessPoint: !Equals [!Ref CreateNewSupportingAccessPoint, true] ShouldEnableMonitoring: !Equals [!Ref EnableCloudWatchMonitoring, true] Resources: ObjectLambdaAccessPoint: Type: AWS::S3ObjectLambda::AccessPoint Properties: Name: Ref: ObjectLambdaAccessPointName ObjectLambdaConfiguration: # If creating a new Supporting Access Point, get the Arn from the new resource. # Else construct the Arn using the SupportingAccessPointName input parameter. SupportingAccessPoint: !If - ShouldCreateNewSupportingAccessPoint - !GetAtt SupportingAccessPoint.Arn - !Sub "arn:${AWS::Partition}:s3:${AWS::Region}:${AWS::AccountId}:accesspoint/${SupportingAccessPointName}" AllowedFeatures: - GetObject-Range - GetObject-PartNumber - HeadObject-Range - HeadObject-PartNumber CloudWatchMetricsEnabled: Ref: EnableCloudWatchMonitoring TransformationConfigurations: - Actions: [ GetObject, ListObjects, ListObjectsV2, HeadObject ] ContentTransformation: AwsLambda: FunctionArn: !GetAtt LambdaFunction.Arn FunctionPayload: Ref: LambdaFunctionPayload SupportingAccessPoint: Type: AWS::S3::AccessPoint Condition: ShouldCreateNewSupportingAccessPoint Properties: Bucket: Ref: S3BucketName Name: Ref: SupportingAccessPointName LambdaExecutionRole: Type: "AWS::IAM::Role" Properties: ManagedPolicyArns: ["arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy"] AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - "sts:AssumeRole" Tags: - Key: "CreatedBy" Value: "S3 Object Lambda Default Configuration" LambdaFunction: Type: AWS::Lambda::Function Properties: Code: S3Bucket: Ref: LambdaFunctionS3BucketName S3Key: Ref: LambdaFunctionS3Key S3ObjectVersion: Ref: LambdaFunctionS3ObjectVersion Handler: Fn::FindInMap: [LambdaRuntimeHandlerMapping , Ref: LambdaFunctionRuntime , handler ] MemorySize: 1024 Timeout: 60 PackageType: Zip Role: !GetAtt LambdaExecutionRole.Arn Runtime: Ref: LambdaFunctionRuntime Tags: - Key: "CreatedBy" Value: "S3 Object Lambda Default Configuration" ClientSideErrorsAlarm: Type: AWS::CloudWatch::Alarm Condition: ShouldEnableMonitoring Properties: AlarmDescription: Indicates that there are client-side errors (HTTP 4xx errors) returned by the S3 Object Lambda Access Point. ComparisonOperator: GreaterThanOrEqualToThreshold Dimensions: - Name: AccessPointName Value: !Ref ObjectLambdaAccessPoint - Name: LambdaARN Value: !GetAtt LambdaFunction.Arn MetricName: 4xxErrors Namespace: "AWS/S3ObjectLambda" EvaluationPeriods: 5 Period: 60 # 1 minute Statistic: Average Threshold: 0.01 # Goes into alarm when there are more than 1% of requests resulting in client-side errors TreatMissingData: notBreaching ServerSideErrorsAlarm: Type: AWS::CloudWatch::Alarm Condition: ShouldEnableMonitoring Properties: AlarmDescription: Indicates that there are server-side errors (HTTP 5xx errors) returned by the S3 Object Lambda Access Point. ComparisonOperator: GreaterThanOrEqualToThreshold Dimensions: - Name: AccessPointName Value: !Ref ObjectLambdaAccessPoint - Name: LambdaARN Value: !GetAtt LambdaFunction.Arn MetricName: 5xxErrors Namespace: "AWS/S3ObjectLambda" EvaluationPeriods: 5 Period: 60 Statistic: Average Threshold: 0.01 TreatMissingData: notBreaching Outputs: ObjectLambdaAccessPoint: Description: The Amazon S3 Object Lambda Access Point created by this CloudFormation stack. Value: !Ref ObjectLambdaAccessPoint