我正在编写一个由cloudwatch事件触发的lambda函数"createbucket";当尝试执行lambda函数时;
import json
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
print(bucket_name)
# if record['eventName'] == "CreateBucket":
# bucket =record['detail']['requestParameters']['bucketName']
# print(bucket)
# bucket_name =bucket
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{bucket_name}",
"arn:aws:s3:::{bucket_name}/*"
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
"AES256",
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{bucket_name}",
"arn:aws:s3:::{bucket_name}/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
我得到一个错误,必须处理
module initialization error: name 'bucket_name' is not defined有什么想法吗?我必须获得createbucket事件获取的bucket的名称,但它似乎从未传递到lambda函数。有什么方法可以将新bucket的名称传递给函数吗?
编辑我得到的新错误是
{
"stackTrace": [
[
"/var/task/lambda_function.py",
11,
"lambda_handler",
"bucket_name = event['detail']['requestParameters']['bucketName']"
]
],
"errorType": "KeyError",
"errorMessage": "'detail'"
}
CW事件配置:
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"CreateBucket"
]
}
}
编辑
除了缩进问题外,这似乎是由于使用默认Lambda事件模板时出现错误,该模板与CloudWatch事件的语法不匹配。
原始
这是一个缩进问题。s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)函数调用将在lambda_handler之外执行
我已经修复了下面Lambda函数的缩进
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
print(bucket_name)
# if record['eventName'] == "CreateBucket":
# bucket =record['detail']['requestParameters']['bucketName']
# print(bucket)
# bucket_name =bucket
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
"AES256",
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)