Add restriction on S3 bucket to only allow download from AWS resources in the same region. This function will be automatically re-triggered by Amazon's SNS topic because the IP address ranges will periodically change.
This Lambda is being used as a AWS Custom Resource, but it is not a singleton Lambda that gets reused to process each Custom Resource request. Each provision S3 bucket will need to create it's own dedicated instance of this Lambda because the SNS event of Amazon's constantly updating IP ranges is does not include any information about the bucket to change, so we can not rely on only Custom Resource event handling. An alternative implementation would be to have a single Lambda on each SNS update from Amazon handle policy updates for every region-restricted bucket, but this apporach would introduces more complexity if any off the policy updates fail.
Contributions are welcome.
Run pipenv install --dev
to install both production and development
requirements, and pipenv shell
to activate the virtual environment. For more
information see the pipenv docs.
After activating the virtual environment, run pre-commit install
to install
the pre-commit git hook.
sam build
Tests are defined in the tests
folder in this project. Use PIP to install the
pytest and run unit tests.
python -m pytest tests/ -vv
Running integration tests requires docker
Remember to update the "BucketName"
of env_vars.json
with the name of the bucket you wish to test!
Swap out the event file in the events/
directory. update.json
and create.json
should result in the same behavior. delete.json
will remove the IP restricting policy from the bucket specified in the
You may also need to include as an argument the AWS Profile (e.g. --profile scipooldev-admin
)
sam local invoke RestrictBucketDownloadRegionFunction --event events/create.json --env-vars env_vars.json
Deployments are sent to the
Sage cloudformation repository
which requires permissions to upload to Sage
bootstrap-awss3cloudformationbucket-19qromfd235z9
and
essentials-awss3lambdaartifactsbucket-x29ftznj6pqw
buckets.
sam package --profile=admincentral-cfndeployer --template-file .aws-sam/build/template.yaml \
--s3-bucket essentials-awss3lambdaartifactsbucket-x29ftznj6pqw \
--output-template-file .aws-sam/build/cfn-cr-same-region-bucket-download.yaml
aws s3 cp --profile=admincentral-cfndeployer .aws-sam/build/cfn-cr-same-region-bucket-download.yaml s3://bootstrap-awss3cloudformationbucket-19qromfd235z9/cfn-cr-same-region-bucket-download/master/
Publishing the lambda makes it available in your AWS account. It will be accessible in the serverless application repository.
sam publish --template .aws-sam/build/cfn-cr-same-region-bucket-download.yaml
Making the lambda publicly accessible makes it available in the global AWS serverless application repository
aws serverlessrepo put-application-policy \
--application-id <lambda ARN> \
--statements Principals=*,Actions=Deploy
Create the following sceptre file config/prod/cfn-cr-same-region-bucket-download.yaml
template_path: "remote/cfn-cr-same-region-bucket-download.yaml"
stack_name: "cfn-cr-same-region-bucket-download"
stack_tags:
Department: "Platform"
Project: "Infrastructure"
OwnerEmail: "[email protected]"
hooks:
before_launch:
- !cmd "curl https://bootstrap-awss3cloudformationbucket-19qromfd235z9.s3.amazonaws.com/cfn-cr-same-region-bucket-download/master/cfn-cr-same-region-bucket-download.yaml --create-dirs -o templates/remote/cfn-cr-same-region-bucket-download.yaml"
Install the lambda using sceptre:
sceptre --var "profile=my-profile" --var "region=us-east-1" launch prod/cfn-cr-same-region-bucket-download.yaml
Steps to deploy from AWS console.
- Login to AWS
- Access the serverless application repository -> Available Applications
- Select application to install
- Enter Application settings
- Click Deploy
We have setup our CI to automate a releases. To kick off the process just create a tag (i.e 0.0.1) and push to the repo. The tag must be the same number as the current version in template.yaml. Our CI will do the work of deploying and publishing the lambda.