我的模板是:
Resources:
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
AES256
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy),
Handler: index.lambda_handler
Role: 'arn:aws:iam::role'
Runtime: python3.7
EventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.s3
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- s3.amazonaws.com
eventName:
- CreateBucket
这成功地创建了一个lambda函数和一个事件桥事件,我不得不手动添加事件桥的触发器,但当我创建一个s3 bucket时,没有策略。没有错误参考供我查看,目前我找不到任何逻辑错误。这是在我用上面的模板创建的堆栈上。有什么想法吗?
调查这一问题的最佳方式是通过CloudWatch。
首先检查Lambda所在区域的CloudWatch日志。这将识别Lambda功能的任何问题,例如:
- IAM缺少您角色的权限
- Python解析错误(无效语法(
如果没有日志,请检查CloudWatch指标以确保正在调用的函数。如果不是,则该事件不会触发。
此外,要将Lambda自动添加为触发器,您需要将其作为CloudWatch事件规则的目标包含在模板中。
以下是您需要的大致模板。
Resources:
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
Code:
ZipFile: |
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# Get bucket name from the S3 event
print(event)
bucket_name = event['detail']['requestParameters']['bucketName']
# Create a bucket policy
bucket_policy =json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedAtRest",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": [
AES256
"aws:kms"
]
}
}
},
{
"Sid": "MustBeEncryptedInTransit",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{}".format(bucket_name),
"arn:aws:s3:::{}/*".format(bucket_name)
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
} ] })
# Set the new policy
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy),
Handler: index.lambda_handler
Role: 'arn:aws:iam::role'
Runtime: python3.7
EventRule:
Type: 'AWS::Events::Rule'
Properties:
EventPattern:
source:
- aws.s3
detail-type:
- AWS API Call via CloudTrail
detail:
eventSource:
- s3.amazonaws.com
eventName:
- CreateBucket
Targets:
-
Arn: !GetAtt LambdaFunction.Arn
Id: "TargetFunctionV1"
PermissionForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: "LambdaFunction"
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn: !GetAtt EventRule.Arn