Amazon S3 triggering another a Lambda function in another account

Question

I want to run a lambda in Account B when any object comes into Account A S3 bucket.

But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:

1. S3(Account A)--> Lambda(Account B)- not possible
2. S3(Account A)--> Lambda(Account A)-->Lambda(Account B)- Possible

Can someone help me which option is possible? If so how?

Answer 1

@John's Solution works but there are certain steps I would like to add to his answer.

• The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:

The notification destination service region is not valid for the bucket location constraint

Below is the Steps I followed to create the trigger:

Account-A.S3-bucket -> Account-B.Lambda-function

1. From Terminal, switch to Account-B's AWS profile where the Lambda would reside

2. Run the below command, change the parameters for your case:

   aws lambda add-permission \ --region {Account-B.Lambda region Eg. us-east-1} \ --function-name {Account-B.Lambda name} \ --statement-id 1 \ --principal s3.amazonaws.com \ --action lambda:InvokeFunction \ --source-arn arn:aws:s3:::{Account-A.S3 name} \ --source-account {Account-A.account-id} \ --profile {Account-B.profile-name}

You might get statement-id exists error, increment statement-id and re-run command again in this case.

1. Go to Account-A's S3 bucket and under Properties's tab > under Events
2. Select Add Notification

3. Add the following fields:

   Name: ObjectCreation Events: ObjectCreate (All) Send to: Lambda function Lambda: Add Lambda function ARN Lambda function ARN: your-lambda-arn

Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.

Answer 2

I managed to successfully trigger an AWS Lambda function in Account B from an upload to an Amazon S3 bucket in Account A.

Account-A.S3-bucket -> Account-B.Lambda-function

Here's what I did:

• Created the Amazon S3 bucket in Account A
• Created the Lambda function in Account B
• Added a Resource-Based Policy for AWS Lambda to the Lambda function via the AWS Command-Line Interface (CLI) that allowed the S3 bucket to call lambda:InvokeFunction on the Lambda function
• Added a Bucket Policy to the S3 bucket to permit GetObject access from anywhere (this should be locked-down further, but was sufficient for the experiment)
• Configured an Event for ObjectCreate (All) on the S3 bucket, referencing the Lambda function via its ARN
• Uploaded a file to the Account-A.S3-bucket
• The Account-B.Lambda-function was successfully triggered

I then repeated the experiment with the bucket in a different region and it failed, saying:

The notification destination service region is not valid for the bucket location constraint

Answer 3

Here is how you do this in clear steps:

I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.

1. Create assumed role on Customer Account with full S3 access,
2. Create trust policy in assumed role pointing at Lambda ARN

3. Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role (Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)

4. Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account. (Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)