forked from 9652040795/aws-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlambda-s3-change-permissions-public-to-privatepublic-
78 lines (62 loc) · 2.04 KB
/
lambda-s3-change-permissions-public-to-privatepublic-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# executionrole.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::secretcatpics/*"
}, {
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}]
}
# Boto3 AWS SDK for python
from __future__ import print_function
import json
import boto3
print('Loading function')
s3 = boto3.client('s3')
bucket_of_interest = "asim-bucket"
# For a PutObjectAcl API Event, gets the bucket and key name from the event
# If the object is not private, then it makes the object private by making a
# PutObjectAcl call.
def lambda_handler(event, context):
# Get bucket name from the event
bucket = event['Records'][0]['s3']['bucket']['name']
if (bucket != bucket_of_interest):
print("Doing nothing for bucket = " + bucket)
return
# Get key name from the event
key = event['Records'][0]['s3']['object']['key']
# If object is not private then make it private
if not (is_private(bucket, key)):
print("Object with key=" + key + " in bucket=" + bucket + " is not private!")
make_private(bucket, key)
else:
print("Object with key=" + key + " in bucket=" + bucket + " is already private.")
# Checks an object with given bucket and key is private
def is_private(bucket, key):
# Get the object ACL from S3
acl = s3.get_object_acl(Bucket=bucket, Key=key)
# Private object should have only one grant which is the owner of the object
if (len(acl['Grants']) > 1):
return False
# If canonical owner and grantee ids do no match, then conclude that the object
# is not private
owner_id = acl['Owner']['ID']
grantee_id = acl['Grants'][0]['Grantee']['ID']
if (owner_id != grantee_id):
return False
return True
# Makes an object with given bucket and key private by calling the PutObjectAcl API.
def make_private(bucket, key):
s3.put_object_acl(Bucket=bucket, Key=key, ACL="private")
print("Object with key=" + key + " in bucket=" + bucket + " is marked as private.")