Amazon S3 triggering another a Lambda function in another account

Question

I want to run a lambda in Account B when any object comes into Account A S3 bucket.

But I heard that we can access Lambda from the same account S3 only, for cross-ac

Answer 1

Here is how you do this in clear steps:

I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.

1. Create assumed role on Customer Account with full S3 access,
2. Create trust policy in assumed role pointing at Lambda ARN

3. Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role (Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)

4. Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account. (Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)