Add restriction on S3 bucket to only allow download from AWS resources in the same region. This function will be automatically re-triggered by Amazon's SNS topic because the IP address ranges will periodically change.

This Lambda is being used as a AWS Custom Resource, but it is not a singleton Lambda that gets reused to process each Custom Resource request. Each provision S3 bucket will need to create it's own dedicated instance of this Lambda because the SNS event of Amazon's constantly updating IP ranges is does not include any information about the bucket to change, so we can not rely on only Custom Resource event handling. An alternative implementation would be to have a single Lambda on each SNS update from Amazon handle policy updates for every region-restricted bucket, but this apporach would introduces more complexity if any off the policy updates fail.

Contributions are welcome.

Run pipenv install --dev to install both production and development requirements, and pipenv shell to activate the virtual environment. For more information see the pipenv docs.

After activating the virtual environment, run pre-commit install to install the pre-commit git hook.

sam build

Tests are defined in the tests folder in this project. Use PIP to install the pytest and run unit tests.

python -m pytest tests/ -vv

Running integration tests requires docker

Remember to update the "BucketName" of env_vars.json with the name of the bucket you wish to test!

Swap out the event file in the events/ directory. update.json and create.json should result in the same behavior. delete.json will remove the IP restricting policy from the bucket specified in the You may also need to include as an argument the AWS Profile (e.g. --profile scipooldev-admin)

sam local invoke RestrictBucketDownloadRegionFunction --event events/create.json --env-vars env_vars.json

Deployments are sent to the Sage cloudformation repository which requires permissions to upload to Sage bootstrap-awss3cloudformationbucket-19qromfd235z9 and essentials-awss3lambdaartifactsbucket-x29ftznj6pqw buckets.

sam package --profile=admincentral-cfndeployer --template-file .aws-sam/build/template.yaml \
  --s3-bucket essentials-awss3lambdaartifactsbucket-x29ftznj6pqw \
  --output-template-file .aws-sam/build/cfn-cr-same-region-bucket-download.yaml

aws s3 cp --profile=admincentral-cfndeployer .aws-sam/build/cfn-cr-same-region-bucket-download.yaml s3://bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cr-same-region-bucket-download/master/

Publishing the lambda makes it available in your AWS account. It will be accessible in the serverless application repository.

sam publish --template .aws-sam/build/cfn-cr-same-region-bucket-download.yaml

Making the lambda publicly accessible makes it available in the global AWS serverless application repository

aws serverlessrepo put-application-policy \
  --application-id <lambda ARN> \
  --statements Principals=*,Actions=Deploy

Create the following sceptre file config/prod/cfn-cr-same-region-bucket-download.yaml

template_path: "remote/cfn-cr-same-region-bucket-download.yaml"
stack_name: "cfn-cr-same-region-bucket-download"
stack_tags:
  Department: "Platform"
  Project: "Infrastructure"
  OwnerEmail: "[email protected]"
hooks:
  before_launch:
    - !cmd "curl https://bootstrap-awss3cloudformationbucket-19qromfd235z9.s3.amazonaws.com/cfn-cr-same-region-bucket-download/master/cfn-cr-same-region-bucket-download.yaml --create-dirs -o templates/remote/cfn-cr-same-region-bucket-download.yaml"

Install the lambda using sceptre:

sceptre --var "profile=my-profile" --var "region=us-east-1" launch prod/cfn-cr-same-region-bucket-download.yaml

Steps to deploy from AWS console.

1. Login to AWS
2. Access the serverless application repository -> Available Applications
3. Select application to install
4. Enter Application settings
5. Click Deploy

We have setup our CI to automate a releases. To kick off the process just create a tag (i.e 0.0.1) and push to the repo. The tag must be the same number as the current version in template.yaml. Our CI will do the work of deploying and publishing the lambda.