AWS Lambda triggered by PUT to s3 bucket in separate account

Question

I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account.

Answer 1

Lets assume that your bucket is in Account-A, and your lambda in Account-B. You can actually do that in the following way:

1. add permission to the lambda function to be invoked from the Account-A S3 bucket events:

   aws lambda add-permission \
     --function-name MyFunction \
     --region <your-region> \
     --statement-id <whatever> \
     --action "lambda:InvokeFunction" \
     --principal s3.amazonaws.com \
     --source-arn <source-bucket-arn> \
     --source-account <Account-A-id> \
   

2. in the event triggering of S3, specify the ARN of your lambda function

Answer 2

UPDATE: It appears that cross-account triggering of a Lambda function from S3 actually is possible. See: Using Resource-Based Policies for AWS Lambda (Lambda Function Policies)

---

Old answer:

Amazon S3 can trigger an AWS Lambda function when objects are added to, or deleted from, a bucket.

However, this trigger must be setup on the bucket itself. You will need the owner of the bucket (or someone with sufficient permissions) to set the configuration to trigger Lambda.

Also, the Lambda function being called must be in the same Account as the Amazon S3 bucket. You could create a Lambda function in one account that then calls a Lambda function in another account (given sufficient permissions), but it is not possible for a Bucket in Account A to directly trigger a Lambda function in Account B.