Automating AWS Lambda to Run Python For S3 Encryption.

The process of automating Lambda function to apply S3 bucket encryption by running Python script.

Encryption is the process that scrambles readable text so it can only be read by the person who has the secret code, or decryption key. It helps provide data security for sensitive information. Every S3 bucket should have encryption applied it, but what if you forget? In this project I will show you the process of applying encryption by triggering AWS Lambda with Python Programming.

AWS Lambda is an event-driven, serverless computing platform provided by Amazon as a part of Amazon Web Services. It is a computing service that runs code in response to events and automatically manages the computing resources required by that code.



  • In order for all of this to work we are going to enable CloudTrail.
  • CloudTrail allows us to log everything that happens with our API Gateway.
  1. Go to the trails section and create a trail.
  2. Label it “cloudtrail”
  3. Click apply to all regions to be apply to track all API requests.
  4. Create a unique S3 bucket name.
make sure your s3 bucket name is unique


  • Head over to Cloud Formation in your AWS Console and Create Stack.
  • AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion.
click create stack
  1. Upload your Cloudformation template file.
click choose file

2. Copy and paste the Cloudformation template below labeled s3enforce.yml to the editor of your choice. Then save it to your desktop or any folder of your choice to be able to upload the file into Cloudformation.

Encryption File:

  • The template includes IAM roles, Lambda functions, and cloud watch events.
  • The s3 encryption is placed inside the template. Starting with import json.
  • We have added the handler for our Lambda function to call off our function and give it the name of the bucket triggering the API request.
  • The handler allows you to pull out the bucket and encrypt it.

CloudFormation: (Cont)

3. Create a unique stack name.

4. Click next, and next again and then scroll down and acknowledge we are creating IAM resources.

5. Then click create stack.

6. Wait until the create is finished deploying.

7. Go to Resources and click on your lambda function.

8. Now we can see the EventsBridge triggering our Lambda Function.

9. If you scroll down you can see our encryption code.

S3 Bucket:

  1. Create unique bucket name for your region.

2. Create bucket name.

3. Click on Monitoring and click view logs in Cloudwatch.

click the log stream

4. Clock on the log stream.

5. Click on our response request.

as you can see we have our https status code


Doing this, now anytime we create an S3 bucket it will automatically apply an encryption to it. Sweet! This will help with any compliance issues you may have or just simply the data inside your s3 bucket. This template is also useful for any other kinds of automated controls you may want.


Website →

LinkedIn →

Junior DevOps Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store