0

I want to write a lambda function with Python, to enable S3 bucket default encryption, if the newly created bucket is not encryption enabled

Need to have following steps

  • Trigger Lambda function when new S3 bucket is created
  • If Default encryption is not enabled, it will enable automatically
  • SNS topic will be triggered and send email to administrator & bucket creator/owner

Following lambda function, I have created will encrypt any existing bucket periodically. I want to extend it to trigger at new bucket creation

import json

import boto3


def lambda_handler(event, context):
    s3 = boto3.client("s3")
    response = s3.list_buckets()
    buckets = [bucket['Name'] for bucket in response['Buckets']]
    status = 401
    unencrypted_buckets = []
    for bucket in buckets:
        try:
            s3.get_bucket_encryption(Bucket=bucket)
            print(f"Bucket {bucket} has already Encryption enabled")
        except s3.exceptions.ClientError:
            unencrypted_buckets.append(bucket)

    encryption_enabled_buckets = []
    for unencrypted_bucket in unencrypted_buckets:
        try:
            print(f"Bucket {unencrypted_bucket} has no Encryption enabled")
            s3.put_bucket_encryption(
                Bucket=unencrypted_bucket,
                ServerSideEncryptionConfiguration={
                    'Rules': [
                        {
                            'ApplyServerSideEncryptionByDefault':
                                {
                                    'SSEAlgorithm': 'AES256'
                                }
                        }
                    ]
                }
            )
            encryption_enabled_buckets.append(unencrypted_bucket)
            status = 200
        except s3.exceptions.ClientError:
            status = 500
            break

    return {
        'statusCode': status,
        'details': 'Default encryption enabled',
        'encryption enabling success': encryption_enabled_buckets,
        'encryption enabling failed': list(set(unencrypted_buckets) - set(encryption_enabled_buckets)) + list(
            set(encryption_enabled_buckets) - set(unencrypted_buckets))
    }
Improve this question
2
  • 1
    What have you tried? Have you tried anything? Stack Overflow is not an on-demand solutions architect or engineer. Commented Oct 13, 2021 at 17:37
  • I have created a Lambda function to enable default encryption for existing buckets. I have tried to add trigger to that lambda function when a new bucket is created. Commented Oct 14, 2021 at 9:23

1 Answer 1

Reset to default
2

You may not have to code this at all. Consider using AWS Config Rules for this, and other, compliance requirements.

See AWS Config managed rules:

AWS Config can send notifications via SNS and here is an example of How can I be notified when an AWS resource is non-compliant using AWS Config?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.