How do I troubleshoot Amazon S3 event notifications that didn't invoke my Lambda function?

2 minute read

I want to troubleshoot Amazon Simple Storage Service (Amazon S3) event notifications that didn't invoke my AWS Lambda function.

Resolution

To troubleshoot Amazon S3 event notifications for Lambda functions, complete the following steps to verify your permissions and configuration settings:

Open the Amazon S3 console, and then navigate to your bucket.
Choose the Properties tab.
In Event notifications, select your event notification, and then choose Edit.
In General configuration, review the Prefix and Suffix settings.
(Optional) If you use a prefix or suffix, then confirm the following:
The object key in your bucket matches the object key naming guidelines.
Any special characters are in URL-encoded (percent-encoded) format.
In Destination, confirm that the Lambda function's ARN matches a valid function.
Choose Save changes.
Open the Lambda console, and then choose Functions.
In Function name, choose your Lambda function.
Choose the Configuration tab, and then choose Permissions.
In Resource-based policy statements, choose your policy, and the choose View policy.

Make sure that the resource-based policy allows Amazon S3 to invoke the Lambda function:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "ACCOUNT_ID"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::BUCKET_NAME"
        }
      }
    }
  ]
}

Note: Replace REGION, ACCOUNT_ID, FUNCTION_NAME, and BUCKET_NAME with your AWS Region, AWS account, function name, and bucket name. The AWS:SourceAccount is the account that owns the bucket and ArnLike is the bucket's ARN.

In the preceding resource-based policy, the Principal s3.amazonaws.com has permission to perform the lambda:InvokeFunction API action on the Resource ARN.

Important: Amazon S3 usually delivers event notifications in seconds but can sometimes take 1 minute or longer. For more information, see Amazon S3 Event Notifications.

Related information

How do I allow my Lambda function access to my Amazon S3 bucket?

Why do I get Access Denied errors when I use a Lambda function to upload files to an Amazon S3 bucket in another AWS account?

Topics

Storage

Relevant content

AWS Lambda & S3 Integration | Automatic trigger Amazon Lambda function on s3 event
rePost-User-9074506
asked 3 years ago
Create a Lambda Function Triggered by S3 Event, send the event as email using SNS
Accepted Answer
Deepthi J
asked 8 months ago
S3 Lambda Function slower than event trigger
Accepted Answer
sid1987
asked 6 years ago
Cloudwatch event rule for Lambda function
Himanshu
asked 2 years ago
lambda function event trigger when appflow writes object to S3
kkccoo
asked 6 months ago
How do I troubleshoot issues when my Amazon S3 Event Notifications don't invoke my Lambda function?
AWS OFFICIALUpdated 6 months ago
How do I use Systems Manager Automation to troubleshoot issues when my Amazon S3 event notification doesn't invoke a Lambda function?
AWS OFFICIALUpdated a year ago
How do I set up an Amazon S3 Event Notification to invoke a Lambda function that's in another AWS account?
AWS OFFICIALUpdated 10 months ago
How do I resolve the error "Configuration is ambiguously defined" when I tried to create an Amazon S3 event notification to trigger my Lambda function?
AWS OFFICIALUpdated 2 months ago
How do I create an Amazon MSK event source mapping to invoke a Lambda function using a NAT Gateway internet connection?
EXPERT
Hitesh
published 3 months ago