Amazon S3 triggering another a Lambda function in another account

Question

I want to run a lambda in Account B when any object comes into Account A S3 bucket.

But I heard that we can access Lambda from the same account S3 only, for cross-ac

Answer 1

@John's Solution works but there are certain steps I would like to add to his answer.

• The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:

The notification destination service region is not valid for the bucket location constraint

Below is the Steps I followed to create the trigger:

Account-A.S3-bucket -> Account-B.Lambda-function

1. From Terminal, switch to Account-B's AWS profile where the Lambda would reside

2. Run the below command, change the parameters for your case:

   aws lambda add-permission \ --region {Account-B.Lambda region Eg. us-east-1} \ --function-name {Account-B.Lambda name} \ --statement-id 1 \ --principal s3.amazonaws.com \ --action lambda:InvokeFunction \ --source-arn arn:aws:s3:::{Account-A.S3 name} \ --source-account {Account-A.account-id} \ --profile {Account-B.profile-name}

You might get statement-id exists error, increment statement-id and re-run command again in this case.

1. Go to Account-A's S3 bucket and under Properties's tab > under Events
2. Select Add Notification

3. Add the following fields:

   Name: ObjectCreation Events: ObjectCreate (All) Send to: Lambda function Lambda: Add Lambda function ARN Lambda function ARN: your-lambda-arn

Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.