├── policy.json ├── LICENSE ├── README.md └── index.js /policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "Stmt1430872797000", 6 | "Effect": "Allow", 7 | "Action": [ 8 | "s3:GetBucketTagging", 9 | "s3:GetObject", 10 | "s3:PutObject" 11 | ], 12 | "Resource": [ 13 | "*" 14 | ] 15 | }, 16 | { 17 | "Sid": "Stmt1430872844000", 18 | "Effect": "Allow", 19 | "Action": [ 20 | "cloudwatch:*" 21 | ], 22 | "Resource": [ 23 | "*" 24 | ] 25 | }, 26 | { 27 | "Sid": "Stmt1430872852000", 28 | "Effect": "Allow", 29 | "Action": [ 30 | "logs:*" 31 | ], 32 | "Resource": [ 33 | "*" 34 | ] 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Eleven41 Software Inc. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # aws-lambda-encrypt-s3-objects 2 | An AWS Lambda function to encrypt S3 objects using server-side AES256 encryption 3 | as they are added to the bucket. 4 | 5 | ## Configuration 6 | 7 | ### IAM Role 8 | 9 | Create an IAM role with the following policy: 10 | 11 | ```json 12 | { 13 | "Version": "2012-10-17", 14 | "Statement": [ 15 | { 16 | "Sid": "Stmt1430872797000", 17 | "Effect": "Allow", 18 | "Action": [ 19 | "s3:GetBucketTagging", 20 | "s3:GetObject", 21 | "s3:PutObject" 22 | ], 23 | "Resource": [ 24 | "*" 25 | ] 26 | }, 27 | { 28 | "Sid": "Stmt1430872844000", 29 | "Effect": "Allow", 30 | "Action": [ 31 | "cloudwatch:*" 32 | ], 33 | "Resource": [ 34 | "*" 35 | ] 36 | }, 37 | { 38 | "Sid": "Stmt1430872852000", 39 | "Effect": "Allow", 40 | "Action": [ 41 | "logs:*" 42 | ], 43 | "Resource": [ 44 | "*" 45 | ] 46 | } 47 | ] 48 | } 49 | ``` 50 | 51 | ### Building the Lambda Package 52 | 53 | 1. Clone this repo 54 | 55 | ``` 56 | git clone git@github.com:eleven41/aws-lambda-encrypt-s3-objects.git 57 | cd aws-lambda-encrypt-s3-objects 58 | ``` 59 | 60 | 2. Install requirements 61 | 62 | ``` 63 | npm install async 64 | npm install aws-sdk 65 | ``` 66 | 67 | 3. Zip up the folder using your favourite zipping utility 68 | 69 | ### Lambda Function 70 | 71 | 1. Create a new Lambda function. 72 | 2. Upload the ZIP package for the lambda function using `index.handler` as the handler. 73 | 3. Add an event source to your Lambda function: 74 | * Event Source Type: S3 75 | * Bucket: your source bucket 76 | * Event Type: Object Created 77 | 4. Set your Lambda function to execute using the IAM role you created above. 78 | 79 | At this point, if you upload a file to your source bucket, the file 80 | should be converted to AES256 encryption if it isn't already encrypted. 81 | 82 | ### Additional Options 83 | 84 | Configuration is performed by setting tags on the bucket. 85 | 86 | Tag Name | Notes 87 | ---|--- 88 | SetReducedRedundancy | Set to 'Yes' to use reduced redundancy for the object. 89 | 90 | ## Notes 91 | 92 | Lambda will invoke this function twice for each file uploaded: 93 | 94 | 1. Once for the true upload, and 95 | 2. A second time because we've modified the file. 96 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | console.log("Version 0.3.0"); 2 | 3 | // Load up all dependencies 4 | var AWS = require('aws-sdk'); 5 | var async = require('async'); 6 | 7 | // get reference to S3 client 8 | var s3 = new AWS.S3({ apiVersion: '2006-03-01' }); 9 | 10 | // This is the entry-point to the Lambda function. 11 | exports.handler = function (event, context) { 12 | 13 | if (event.Records == null) { 14 | context.fail('Error', "Event has no records."); 15 | return; 16 | } 17 | 18 | // Process all records in the event asynchronously. 19 | async.each(event.Records, processRecord, function (err) { 20 | if (err) { 21 | context.fail('Error', "One or more objects could not be encrypted."); 22 | } else { 23 | context.succeed(); 24 | } 25 | }); 26 | }; 27 | 28 | // processRecord 29 | // 30 | // Iterator function for async.each (called by the handler above). 31 | // 32 | // 1. Gets the head of the object to determine it's current encryption state. 33 | // 2. Gets the encryption configuration from the bucket's tags. 34 | // 3. Copies the object with the desired encryption. 35 | function processRecord(record, callback) { 36 | if (record.s3 == null) { 37 | callback("Event record is missing s3 structure."); 38 | return; 39 | } 40 | 41 | // The bucket and key are part of the event data 42 | var bucket = record.s3.bucket.name; 43 | var key = decodeURIComponent(record.s3.object.key.replace(/\+/g, " ")); 44 | 45 | console.log('Processing ' + bucket + '/' + key); 46 | 47 | // Get the head data to determine if the object is already encrypted. 48 | console.log('Getting object head'); 49 | s3.headObject({ 50 | Bucket: bucket, 51 | Key: key 52 | }, function (err, data) { 53 | if (err) { 54 | console.log('Error getting object head:'); 55 | console.log(err, err.stack); // an error occurred 56 | callback("Error getting object head: " + bucket + '/' + key); 57 | } else if (data.ServerSideEncryption != 'AES256') { 58 | 59 | readConfig(bucket, function (err, config) { 60 | if (err) { 61 | console.log('Error reading configuration from tags:'); 62 | console.log(err, err.stack); // an error occurred 63 | callback("Error reading configuration from tags: " + err); 64 | } else { 65 | 66 | var storageClass = 'STANDARD'; 67 | if (config.setReducedRedundancy) 68 | storageClass = 'REDUCED_REDUNDANCY'; 69 | 70 | // Copy the object adding the encryption 71 | console.log('Updating object'); 72 | s3.copyObject({ 73 | Bucket: bucket, 74 | Key: key, 75 | 76 | CopySource: encodeURIComponent(bucket + '/' + key), 77 | MetadataDirective: 'COPY', 78 | ServerSideEncryption: 'AES256', 79 | StorageClass: storageClass 80 | }, function (err, data) { 81 | if (err) { 82 | console.log('Error updating object:'); 83 | console.log(err, err.stack); // an error occurred 84 | callback("Error updating object: " + err); 85 | } else { 86 | console.log(bucket + '/' + key + ' updated.'); 87 | callback(); 88 | } 89 | }); 90 | } 91 | }); 92 | } else { 93 | console.log(bucket + '/' + key + " is already encrypted using 'AES256'."); 94 | callback(); 95 | } 96 | }); 97 | } 98 | 99 | // readConfig 100 | // 101 | // Gets the tags for the named bucket, and 102 | // from those tags, sets the configuration. 103 | // Once found, it calls the callback function passing 104 | // the configuration. 105 | function readConfig(bucketName, callback) { 106 | 107 | var defaultConfig = { 108 | setReducedRedundancy: false 109 | }; 110 | 111 | console.log("Getting tags for bucket '" + bucketName + "'"); 112 | s3.getBucketTagging({ 113 | Bucket: bucketName 114 | }, function (err, data) { 115 | if (err) { 116 | if (err.code == 'NoSuchTagSet') { 117 | // No tags on the bucket, so just send the defaults 118 | callback(null, defaultConfig); 119 | } else { 120 | // Some other error 121 | callback(err, null); 122 | } 123 | } else { 124 | 125 | // Set defaults 126 | var config = defaultConfig; 127 | 128 | var tags = data.TagSet; 129 | 130 | console.log("Processing tags..."); 131 | for (var i = 0; i < tags.length; ++i) { 132 | var tag = tags[i]; 133 | 134 | console.log("Processing tag: " + tag.Key); 135 | if (tag.Key == 'SetReducedRedundancy') { 136 | console.log("Tag 'SetReducedRedundancy' found with value '" + tag.Value + "'"); 137 | if (tag.Value != null && tag.Value.toLowerCase() == 'yes') { 138 | config.setReducedRedundancy = true; 139 | } 140 | } 141 | } 142 | 143 | callback(null, config); 144 | } 145 | }); 146 | } 147 | --------------------------------------------------------------------------------