An AWS Lambda function to encrypt S3 objects using server-side AES256 encryption as they are added to the bucket.
Create an IAM role with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1430872797000",
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1430872844000",
"Effect": "Allow",
"Action": [
"cloudwatch:*"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1430872852000",
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
}
]
}
git clone git@github.com:eleven41/aws-lambda-encrypt-s3-objects.git
cd aws-lambda-encrypt-s3-objects
npm install async
npm install aws-sdk
index.handler
as the handler.At this point, if you upload a file to your source bucket, the file should be converted to AES256 encryption if it isn't already encrypted.
Configuration is performed by setting tags on the bucket.
Tag Name | Notes |
---|---|
SetReducedRedundancy | Set to 'Yes' to use reduced redundancy for the object. |
Lambda will invoke this function twice for each file uploaded: