I have the follow scenario:
- An AWS account A1 with a S3 Bucket B1
- Another AWS account A2 with another S3 Bucket B2.
What I want is:
- User upload a file in S3 B1
- A lambda function automatically move the file from S3 B1 to S3 B2
I have to do a similar thing and I am still researching but here's what I found out:
Source S3 Bucket (B1) and Lambda function invoked must be in the same AWS Region, although they can be in different AWS accounts.
Permissions must be explicitly granted cross-account for Lambda to be able to read from B1 and write to B2, as well as receive notifications from B1 (only if B1 is in a different AWS account than Lambda is, otherwise the permission is implicit).
Regarding permissions, you can find more on this link: http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html
Steps should be:
I could achieve step#1 with the following AWS CLI command:
aws lambda add-permission \
--region __REGION__ \
--function-name lambda_name \
--statement-id 1 \
--principal s3.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::__S3_B1_name__ \
--source-account __ID_of_account_A1__