DEV Community: Anish Ummenthala The latest articles on DEV Community by Anish Ummenthala (@anish_ummenthala). https://dev.to/anish_ummenthala https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3305078%2F088dcdb2-22cd-4521-9cdc-202994aa5752.png DEV Community: Anish Ummenthala https://dev.to/anish_ummenthala en Building a Scalable Fan Out Architecture on AWS with SNS and SQS Anish Ummenthala Sun, 29 Jun 2025 09:57:52 +0000 https://dev.to/anish_ummenthala/building-a-scalable-fan-out-architecture-on-aws-with-sns-and-sqs-2cb5 https://dev.to/anish_ummenthala/building-a-scalable-fan-out-architecture-on-aws-with-sns-and-sqs-2cb5 <blockquote> <p>In distributed systems, decoupling your components is the first step to achieving scalability and resilience.</p> </blockquote> <p>If you have ever built a system where <strong><em>one thing needs to trigger a bunch of other things</em></strong>, you must have already stumbled upon the idea of fan-out architecture.</p> <p>In this post, I’ll explain what fan-out architecture is, why it’s powerful, and how we can build it using <strong><em>AWS SNS and SQS</em></strong>. I’ll also share a <strong><em>simple CDK project</em></strong> I made that implements this architecture (a notification system that sends email, SMS, and push notifications all in parallel).</p> <h2> TL;DR </h2> <p>Fan-out Architecture is a design pattern where a single message is sent to multiple downstream systems in parallel. Using AWS SNS + SQS, we can build a fully decoupled, scalable, and fault-tolerant system.</p> <p>In this blog:</p> <ul> <li>We break down what fan-out architecture is.</li> <li>Show how to implement it with AWS SNS (publisher)+ SQS (subscribers).</li> <li>Walk through a real example: a notification system that sends email, SMS, and push notifications all in parallel.</li> </ul> <h2> What Is Fan Out Architecture? </h2> <p>Fan-out architecture is just a fancy way of saying:</p> <blockquote> <p><strong><em>“Hey, everyone who cares about this message — go do your thing!”</em></strong></p> </blockquote> <p>We aren’t doing everything in one place. We take one big task, break it into smaller tasks, and run them at the same time (in parallel).</p> <p>In tech terms, it’s a messaging pattern where a single message is sent to multiple destinations at the same time. Each destination can process it in parallel and in total isolation from other destinations.</p> <p>This architecture is super useful when we want things to be <strong><em>fast, reliable, and decoupled</em></strong> (services that don't need to know about each other to get the job done).</p> <h2> Pub/Sub Model? </h2> <p>The easiest way to implement this pattern is with the good old <strong><em>Publish-Subscribe</em></strong> (aka Pub/Sub) model.</p> <ul> <li>We have a <strong><em>Topic</em></strong> (acts like a group chat).</li> <li>A <strong><em>Publisher</em></strong> sends a message to that topic.</li> <li>All the <strong><em>Subscribers</em></strong> get that message instantly and go do their work.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdd561q6jwqeuzj7wmtwf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdd561q6jwqeuzj7wmtwf.png" alt="Fan-out is basically “send this to everyone who cares”" width="800" height="487"></a></p> <p><strong>Why is this awesome?</strong></p> <ul> <li>The publisher doesn't need to know <strong><em>who is listening</em></strong>.</li> <li>The subscriber doesn't care <strong><em>who sent the message</em></strong>.</li> <li>Everyone does their job independently, and our system becomes <strong><em>more flexible, maintainable, and resilient</em></strong>.</li> </ul> <h2> Why Bother with Fan Out? </h2> <p>So, what do we actually get out of this architecture?</p> <ul> <li> <strong><em>Parallel Processing</em></strong> — Multiple tasks run at the same time (= faster).</li> <li> <strong><em>Failure Isolation</em></strong> — One service crashing won’t take the others down.</li> <li> <strong><em>Decoupling</em></strong> — Easier to maintain, test, and deploy our services.</li> </ul> <h2> My Example: Notification System with CDK </h2> <p>I built a simple notification system using AWS CDK (in TypeScript). Here’s what it includes:</p> <ul> <li>An SNS topic (<strong><em>NotificationTopic</em></strong>)</li> <li>Three SQS queues are subscribed to this topic (<strong><em>EmailQueue</em></strong>, <strong><em>PushQueue</em></strong>, <strong><em>SMSQueue</em></strong>)</li> <li>Three Lambda functions to handle each queue</li> <li>Infra to wire them all together</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwht75wm4b4tmujnyv0y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwht75wm4b4tmujnyv0y.png" alt="SNS fans out messages to multiple SQS queues, each triggering a separate Lambda" width="800" height="533"></a></p> <p>A real-world example would be when a user signs up for your platform, your backend sends a single message to the <strong><em>NotificationTopic</em></strong>.</p> <p>That message fans out to:</p> <ul> <li>EmailQueue → triggers Email Lambda → sends welcome email</li> <li>PushQueue → triggers Push Lambda → sends push notification to the device</li> <li>SMSQueue → triggers SMS Lambda → sends text message to user</li> </ul> <p>Each Lambda gets messages <strong><em>in batches</em></strong> from its queue and does its thing, completely unaware of the others.</p> <p>Time to get into the good stuff: <strong><em>the code</em></strong></p> <p><strong>1. Defining the SNS Topic</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">createNotificationTopic</span> <span class="o">=</span> <span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Topic</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">NotificationTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FanoutNotificationTopic</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>This is the central piece of our fan-out system. Any message published here will be broadcast to all the subscribers.</p> <p><strong>2. Creating the SQS Queues</strong></p> <p>Here we have defined a reusable function that creates named SQS queues:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">createNotificationQueue</span> <span class="o">=</span> <span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">Queue`</span><span class="p">,</span> <span class="p">{</span> <span class="na">queueName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()}</span><span class="s2">-notification-queue`</span><span class="p">,</span> <span class="na">visibilityTimeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">30</span><span class="p">),</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>We use this function to spin up <strong><em>EmailQueue</em></strong>, <strong><em>PushQueue</em></strong>, and <strong><em>SMSQueue</em></strong> in our stack.</p> <p><strong>3. Creating Lambda Consumers</strong></p> <p>Here we have defined a function that creates Lambda consumers for each SQS queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">createNotificationConsumer</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">scope</span><span class="p">:</span> <span class="nx">Construct</span><span class="p">,</span> <span class="nx">handlerPath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">queue</span><span class="p">:</span> <span class="nx">Queue</span><span class="p">,</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">lambdaFn</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">NodejsFunction</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">name</span><span class="p">}</span><span class="s2">ConsumerFn`</span><span class="p">,</span> <span class="p">{</span> <span class="na">entry</span><span class="p">:</span> <span class="nx">handlerPath</span><span class="p">,</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">NODEJS_18_X</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">'</span><span class="s1">handler</span><span class="dl">'</span><span class="p">,</span> <span class="na">timeout</span><span class="p">:</span> <span class="nx">Duration</span><span class="p">.</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">10</span><span class="p">),</span> <span class="p">});</span> <span class="nx">queue</span><span class="p">.</span><span class="nf">grantConsumeMessages</span><span class="p">(</span><span class="nx">lambdaFn</span><span class="p">);</span> <span class="nx">lambdaFn</span><span class="p">.</span><span class="nf">addEventSource</span><span class="p">(</span><span class="k">new</span> <span class="nc">SqsEventSource</span><span class="p">(</span><span class="nx">queue</span><span class="p">,</span> <span class="p">{</span> <span class="na">batchSize</span><span class="p">:</span> <span class="mi">5</span> <span class="p">}));</span> <span class="k">return</span> <span class="nx">lambdaFn</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>Each Lambda uses a separate handler file (<strong><em>emailHandler.ts</em></strong>, <strong><em>pushHandler.ts</em></strong>, <strong><em>smsHandler.ts</em></strong>) and consumes messages in batches from its corresponding queue.</p> <p><strong>4. Hooking Everything Together</strong></p> <p>Now, in the main stack, we wire all the resources together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">topic</span> <span class="o">=</span> <span class="nf">createNotificationTopic</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">emailQueue</span> <span class="o">=</span> <span class="nf">createNotificationQueue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Email</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pushQueue</span> <span class="o">=</span> <span class="nf">createNotificationQueue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Push</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">smsQueue</span> <span class="o">=</span> <span class="nf">createNotificationQueue</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SMS</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Subscribe queues to the topic</span> <span class="nx">topic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span><span class="k">new</span> <span class="nc">SqsSubscription</span><span class="p">(</span><span class="nx">emailQueue</span><span class="p">));</span> <span class="nx">topic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span><span class="k">new</span> <span class="nc">SqsSubscription</span><span class="p">(</span><span class="nx">pushQueue</span><span class="p">));</span> <span class="nx">topic</span><span class="p">.</span><span class="nf">addSubscription</span><span class="p">(</span><span class="k">new</span> <span class="nc">SqsSubscription</span><span class="p">(</span><span class="nx">smsQueue</span><span class="p">));</span> <span class="c1">// Hook up Lambdas</span> <span class="nf">createNotificationConsumer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./src/lambda/emailHandler.ts</span><span class="dl">'</span><span class="p">,</span> <span class="nx">emailQueue</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Email</span><span class="dl">'</span><span class="p">);</span> <span class="nf">createNotificationConsumer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./src/lambda/pushHandler.ts</span><span class="dl">'</span><span class="p">,</span> <span class="nx">pushQueue</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Push</span><span class="dl">'</span><span class="p">);</span> <span class="nf">createNotificationConsumer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./src/lambda/smsHandler.ts</span><span class="dl">'</span><span class="p">,</span> <span class="nx">smsQueue</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SMS</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Now, publishing a message to the topic will send it to all three queues, and each queue will invoke its Lambda to handle the message.</p> <h2> Full Project on GitHub! </h2> <p>If you want to see the full code, clone it, tweak it, or just poke around, I’ve uploaded everything to GitHub:</p> <p><a href="https://github.com/anish-u/aws-fanout-notification-system" rel="noopener noreferrer">Github Repo</a></p> <p>The repo includes:</p> <ul> <li>Full CDK setup (SNS + SQS + Lambda)</li> <li>Queue + consumer definitions</li> <li>Sample handler code</li> <li>Clean folder structure</li> </ul> <p>Feel free to fork it, star it, or open issues if you run into anything or want to suggest improvements.</p> <h2> Wrapping Up </h2> <p>Fan-out architecture is a solid pattern for building event-driven, decoupled systems that scale. With <strong><em>AWS SNS and SQS</em></strong>, it’s super easy to implement, and with CDK, it’s even easier to define in code.</p> <p>This system is a great base for building things like:</p> <ul> <li>Notification systems</li> <li>Audit/event logs</li> <li>Data processing pipelines</li> <li>Multi-tenant service triggers</li> </ul> <p>One last thing, <strong><em>don’t forget to destroy</em></strong> your AWS resources when you’re done testing.</p> <blockquote> <p><strong><em>“Always clean up unless your hobby is funding Jeff Bezos’ next rocket launch.”</em></strong></p> </blockquote> <h2> References </h2> <ul> <li><a href="https://youtu.be/CEj0yyubNgQ?si=q3TtVtciJKdP0xJr" rel="noopener noreferrer">AWS: Building Fan-Out Serverless Architectures Using SNS, SQS, and Lambda</a></li> <li><a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sqs-as-subscriber.html" rel="noopener noreferrer">SQS as a subscriber to SNS</a></li> <li>A<a href="https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html" rel="noopener noreferrer">WS Lambda with SQS</a> </li> <li><a href="https://docs.aws.amazon.com/sns/latest/dg/sns-message-filtering.html" rel="noopener noreferrer">SNS message filtering</a></li> <li><a href="https://aws.amazon.com/blogs/compute/messaging-fanout-pattern-for-serverless-architectures-using-amazon-sns/" rel="noopener noreferrer">Fanout-pattern use case</a></li> </ul> aws sns sqs systemdesign Redacting Sensitive Data On-the-Fly with S3 Object Lambda Anish Ummenthala Sun, 29 Jun 2025 09:36:06 +0000 https://dev.to/anish_ummenthala/redacting-sensitive-data-on-the-fly-with-s3-object-lambda-hb9 https://dev.to/anish_ummenthala/redacting-sensitive-data-on-the-fly-with-s3-object-lambda-hb9 <blockquote> <p>“Mask what you must, without touching the source.”</p> </blockquote> <p>Most modern applications often store user data in <strong>Amazon S3</strong>, including potentially sensitive details like names, emails, or contact information. But what if you could automatically hide the private data only when it's accessed, without ever touching the original file?</p> <p>That's where <strong>Amazon S3 Object Lambda</strong> comes in.</p> <p>In this post, I'll show you how to build a simple <strong>PII</strong> (Personal Identifiable Information) masker using the <strong>AWS CDK</strong>, <strong>S3 Access Points</strong> &amp; <strong>Lambda Function</strong> that redacts email addresses from .txt files in real time.</p> <h2> Why On-the-Fly Transformation? </h2> <p>Traditionally, redacting sensitive information in S3 means:</p> <ul> <li>Modifying the original file to sanitize information</li> <li>Storing the sanitized copies</li> <li>Managing multiple versions of the same data</li> </ul> <p>But this approach can be clunky and error-prone sometimes.</p> <p>With <strong>S3 Object Lambda</strong>, you can intercept the S3 GET requests and transform data on the fly without duplicating the source files. It is a serverless middleware for S3 objects.</p> <h2> What is an S3 Access Point? </h2> <p>An <strong>S3 Access Point</strong> is like a custom entry point to your S3 bucket. Instead of relying on one big, complicated bucket policy, you can create several of these entry points, each with its own name and set of rules. This lets you control who gets in and what they can access more easily.</p> <p>For example, you might have:</p> <ul> <li>One access point for your internal team,</li> <li>Another one that allows the public only to read files,</li> <li>And a third one that's mainly for use only by a Lambda function.</li> </ul> <h2> What is an S3 Object Lambda? </h2> <p>An <strong>S3 Object Lambda</strong> lets you customize or transform data on the fly as retrieved from S3. It sits between the user/client and the original object, invoking a <strong>Lambda</strong> function to tweak the data (masking sensitive info, reformatting content, or filtering fields) before it's returned.</p> <p>It's an <strong>intelligent filter</strong> that processes the file just before it reaches the user. Some common ways it's used include:</p> <ul> <li> <strong>Removing sensitive information</strong> like credit card numbers, email addresses, or personal information.</li> <li> <strong>Creating content on the fly</strong>, such as resizing images or adding watermarks right before download.</li> <li> <strong>Changing file formats</strong> as needed, for example, converting a CSV file into JSON without storing both versions.</li> </ul> <h2> Hands-On: On-the-Fly PII Redactor </h2> <p>Let's get our hands dirty and build something real: a <strong>PII redactor</strong> that automatically masks email addresses from text files stored in S3 without changing the original files.</p> <p>You can follow along or clone the complete working code from my GitHub repo: <br> <a href="https://github.com/anish-u/pii-redaction-with-object-lambda" rel="noopener noreferrer">PII Redaction with Object Lambda</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdfkqfy78a1vih2n33gy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwdfkqfy78a1vih2n33gy.png" alt="Architecture diagram showing the flow of data redaction using AWS services&lt;br&gt; " width="800" height="313"></a></p> <p>We'll use AWS CDK to provision the entire setup:</p> <ul> <li>S3 bucket to store raw sensitive data</li> <li>Standard S3 Access Point</li> <li>Lambda function that performs redaction</li> <li>Object Lambda Access Point that triggers the Lambda on reads</li> </ul> <p><strong>1. Creating the Raw Data Bucket</strong></p> <p>We create an S3 bucket configured with <strong><em>autoDeleteObjects: true</em></strong> and <strong><em>removalPolicy: DESTROY</em></strong>, meaning the bucket and its contents will be automatically removed when the stack is destroyed, ideal for dev or test environments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Bucket</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">RawDataBucket</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucketName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">raw-bucket-with-sensitive-data</span><span class="dl">"</span><span class="p">,</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">DESTROY</span><span class="p">,</span> <span class="na">autoDeleteObjects</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>2.Creating a Standard S3 Access Point</strong></p> <p>We create an access point that provides a secure and controlled interface for Lambda to read files from the raw data bucket. The ARN created here will be used later to indirectly connect the Object Lambda Access Point to the bucket.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">accessPoint</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CfnS3AccessPoint</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">S3AccessPoint</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">bucket</span><span class="p">:</span> <span class="dl">"</span><span class="s2">raw-bucket-with-sensitive-data</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">bucket-access-point</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">s3AccessPointArn</span> <span class="o">=</span> <span class="s2">`arn:aws:s3:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">region</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">account</span><span class="p">}</span><span class="s2">:accesspoint/bucket-access-point`</span><span class="p">;</span> </code></pre> </div> <p><strong>3. Creating the Lambda Function</strong></p> <p>We create a function invoked by Object Lambda to mask/redact data. The lambda code will be written in <strong><em>Python</em></strong> and handler is <strong><em>index.lambda_handler</em></strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">lambdaFn</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Function</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">PiiMaskerLambda</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">runtime</span><span class="p">:</span> <span class="nx">Runtime</span><span class="p">.</span><span class="nx">PYTHON_3_9</span><span class="p">,</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">maskerLambdaFunction</span><span class="dl">"</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">Code</span><span class="p">.</span><span class="nf">fromAsset</span><span class="p">(</span><span class="dl">"</span><span class="s2">lambda</span><span class="dl">"</span><span class="p">),</span> <span class="na">handler</span><span class="p">:</span> <span class="dl">"</span><span class="s2">index.lambda_handler</span><span class="dl">"</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="p">{</span> <span class="na">RAW_BUCKET_NAME</span><span class="p">:</span> <span class="dl">"</span><span class="s2">raw-bucket-with-sensitive-data</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="na">logRetention</span><span class="p">:</span> <span class="nx">RetentionDays</span><span class="p">.</span><span class="nx">ONE_WEEK</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p><strong>4. Granting Access Permissions</strong></p> <p>Lambda permission to:</p> <ul> <li>Grant <strong><em>s3:GetObject</em></strong> access only via the Access Point, not the entire bucket</li> <li>Ensures Lambda can retrieve data without exposing raw bucket permissions </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">lambdaFn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3:GetObject</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="s2">`</span><span class="p">${</span><span class="nx">s3AccessPointArn</span><span class="p">}</span><span class="s2">/object/*`</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">bucket</span><span class="p">.</span><span class="nf">grantRead</span><span class="p">(</span><span class="nx">lambdaFn</span><span class="p">);</span> </code></pre> </div> <p><strong>5. Creating the Object Lambda Access Point</strong></p> <p>We then configure an Object Lambda Access Point, which invokes the Lambda during object retrieval, transforming the output. This is the <strong>gateway</strong> that clients will call instead of the bucket. It's linked to:</p> <ul> <li>The regular S3 Access Point</li> <li>The Lambda function (for transformation) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">objectLambdaAccessPoint</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">CfnS3ObjectLambdaAccessPoint</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">"</span><span class="s2">S3ObjectLambdaAccessPoint</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">object-lambda-access-point</span><span class="dl">"</span><span class="p">,</span> <span class="na">objectLambdaConfiguration</span><span class="p">:</span> <span class="p">{</span> <span class="na">supportingAccessPoint</span><span class="p">:</span> <span class="nx">s3AccessPointArn</span><span class="p">,</span> <span class="na">transformationConfigurations</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">GetObject</span><span class="dl">"</span><span class="p">],</span> <span class="na">contentTransformation</span><span class="p">:</span> <span class="p">{</span> <span class="na">AwsLambda</span><span class="p">:</span> <span class="p">{</span> <span class="na">FunctionArn</span><span class="p">:</span> <span class="nx">lambdaFn</span><span class="p">.</span><span class="nx">functionArn</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p><strong>6. Allowing Object Lambda to Use Lambda</strong></p> <p>We explicitly allow the S3 Object Lambda service to:</p> <ul> <li>Invoke our redaction Lambda</li> <li>Write transformed responses using <strong><em>s3-object-lambda:WriteGetObjectResponse</em></strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cm">/** * Allow the S3 Object Lambda service to invoke the Lambda function */</span> <span class="nx">lambdaFn</span><span class="p">.</span><span class="nf">addPermission</span><span class="p">(</span><span class="dl">"</span><span class="s2">AllowObjectLambdaInvoke</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">principal</span><span class="p">:</span> <span class="k">new</span> <span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">"</span><span class="s2">s3-object-lambda.amazonaws.com</span><span class="dl">"</span><span class="p">),</span> <span class="na">sourceArn</span><span class="p">:</span> <span class="nx">objectLambdaAccessPointArn</span><span class="p">,</span> <span class="p">});</span> <span class="cm">/** * Allow Lambda to return a transformed version of the object */</span> <span class="nx">lambdaFn</span><span class="p">.</span><span class="nf">addToRolePolicy</span><span class="p">(</span> <span class="k">new</span> <span class="nc">PolicyStatement</span><span class="p">({</span> <span class="na">actions</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">s3-object-lambda:WriteGetObjectResponse</span><span class="dl">"</span><span class="p">],</span> <span class="na">resources</span><span class="p">:</span> <span class="p">[</span><span class="nx">objectLambdaAccessPointArn</span><span class="p">],</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p><strong>7. Lambda Handler (Python)</strong></p> <p>Below is the Python code to redact the sensitive email addresses from the text files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">os</span> <span class="k">import</span> <span class="nx">re</span> <span class="k">import</span> <span class="nx">boto3</span> <span class="k">from</span> <span class="nx">urllib</span><span class="p">.</span><span class="nx">parse</span> <span class="k">import</span> <span class="nx">urlparse</span> <span class="nx">s3</span> <span class="o">=</span> <span class="nx">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="dl">"</span><span class="s2">s3</span><span class="dl">"</span><span class="p">)</span> <span class="err">#</span> <span class="nx">Regex</span> <span class="nx">to</span> <span class="nx">match</span> <span class="nx">emails</span> <span class="nx">EMAIL_PATTERN</span> <span class="o">=</span> <span class="nx">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="nx">r</span><span class="dl">"</span><span class="s2">[a-zA-Z0-9.+_-]+@[a-zA-Z0-9._-]+</span><span class="se">\</span><span class="s2">.[a-zA-Z]+</span><span class="dl">"</span><span class="p">)</span> <span class="nx">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">context</span><span class="p">):</span> <span class="err">#</span> <span class="nx">Determine</span> <span class="nx">the</span> <span class="nx">requested</span> <span class="nx">key</span> <span class="nx">requested_url</span> <span class="o">=</span> <span class="nx">event</span><span class="p">[</span><span class="dl">"</span><span class="s2">userRequest</span><span class="dl">"</span><span class="p">][</span><span class="dl">"</span><span class="s2">url</span><span class="dl">"</span><span class="p">]</span> <span class="nx">key</span> <span class="o">=</span> <span class="nf">urlparse</span><span class="p">(</span><span class="nx">requested_url</span><span class="p">).</span><span class="nx">path</span><span class="p">.</span><span class="nf">lstrip</span><span class="p">(</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">)</span> <span class="err">#</span> <span class="nx">Fetch</span> <span class="nx">the</span> <span class="nx">raw</span> <span class="nx">object</span> <span class="nx">bucket</span> <span class="o">=</span> <span class="nx">os</span><span class="p">.</span><span class="nx">environ</span><span class="p">[</span><span class="dl">"</span><span class="s2">RAW_BUCKET_NAME</span><span class="dl">"</span><span class="p">]</span> <span class="nx">resp</span> <span class="o">=</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span><span class="nx">Bucket</span><span class="o">=</span><span class="nx">bucket</span><span class="p">,</span> <span class="nx">Key</span><span class="o">=</span><span class="nx">key</span><span class="p">)</span> <span class="nx">body</span> <span class="o">=</span> <span class="nx">resp</span><span class="p">[</span><span class="dl">"</span><span class="s2">Body</span><span class="dl">"</span><span class="p">].</span><span class="nf">read</span><span class="p">()</span> <span class="err">#</span> <span class="nx">Only</span> <span class="nx">redact</span> <span class="nx">emails</span> <span class="k">in</span> <span class="p">.</span><span class="nx">txt</span> <span class="nx">files</span> <span class="k">if</span> <span class="nx">key</span><span class="p">.</span><span class="nf">lower</span><span class="p">().</span><span class="nf">endswith</span><span class="p">(</span><span class="dl">"</span><span class="s2">.txt</span><span class="dl">"</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="nx">text</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">)</span> <span class="nx">redacted</span> <span class="o">=</span> <span class="nx">EMAIL_PATTERN</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="dl">"</span><span class="s2">[REDACTED_EMAIL]</span><span class="dl">"</span><span class="p">,</span> <span class="nx">text</span><span class="p">)</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">redacted</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="nx">f</span><span class="dl">"</span><span class="s2">Redacted emails in {key}</span><span class="dl">"</span><span class="p">)</span> <span class="nx">except</span> <span class="nx">Exception</span><span class="p">:</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">body</span> <span class="k">else</span><span class="p">:</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">body</span> <span class="err">#</span> <span class="nx">Return</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">caller</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">write_get_object_response</span><span class="p">(</span> <span class="nx">Body</span><span class="o">=</span><span class="nx">output</span><span class="p">,</span> <span class="nx">RequestRoute</span><span class="o">=</span><span class="nx">event</span><span class="p">[</span><span class="dl">"</span><span class="s2">getObjectContext</span><span class="dl">"</span><span class="p">][</span><span class="dl">"</span><span class="s2">outputRoute</span><span class="dl">"</span><span class="p">],</span> <span class="nx">RequestToken</span><span class="o">=</span><span class="nx">event</span><span class="p">[</span><span class="dl">"</span><span class="s2">getObjectContext</span><span class="dl">"</span><span class="p">][</span><span class="dl">"</span><span class="s2">outputToken</span><span class="dl">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="dl">"</span><span class="s2">status_code</span><span class="dl">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">}</span> </code></pre> </div> <p><strong>Testing via AWS CLI</strong></p> <ul> <li>Upload a .txt file containing emails to your S3 bucket. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3 <span class="nb">cp </span>s3://raw-bucket-with-sensitive-data/test.txt &lt;path_to_local_txt_file&gt; </code></pre> </div> <ul> <li>Get Object via Object Lambda Access Point </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws s3api get-object <span class="se">\</span> <span class="nt">--bucket</span> arn:aws:s3-object-lambda:&lt;region&gt;:&lt;account&gt;:accesspoint/object-lambda-access-point <span class="se">\</span> <span class="nt">--key</span> test.txt redacted-output.txt </code></pre> </div> <ul> <li>Replace <em></em> and <em></em> with your AWS values.</li> </ul> <p><strong>Output</strong>: The emails will be replaced with <strong>[REDACTED_EMAIL]</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxm980kdlejkenwtwqdyw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxm980kdlejkenwtwqdyw.png" alt="Side-by-side comparison of a text file before and after email redaction" width="800" height="430"></a></p> <h2> Don't Forget to Clean Up! 🚨 </h2> <p>Once you've finished testing the redaction flow, delete the resources you provisioned to avoid incurring charges. You can destroy everything with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cdk destroy </code></pre> </div> <p>This removes:</p> <ul> <li>The S3 bucket and objects (if autoDeleteObjects: true)</li> <li>Lambda function and associated roles</li> <li>S3 Access Point</li> <li>S3 Object Lambda Access Point</li> <li>IAM policies</li> </ul> <blockquote> <p>⚠️ Note: Since we are using CDK and logRetention, the log events inside CloudWatch log groups will expire automatically after the retention period (7 days). However, the log groups themselves are not deleted by default. To clean them up completely, you can use AWS CLI / AWS Console to delete all log groups with a specific project tag.</p> </blockquote> <h2> References </h2> <ul> <li>Full source code available on GitHub: <a href="https://github.com/anish-u/pii-redaction-with-object-lambda" rel="noopener noreferrer">Link</a> </li> <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/transforming-objects.html" rel="noopener noreferrer">Transforming objects with S3 Object Lambda</a></li> <li><a href="https://medium.com/@nirmalmaheshs/transforming-data-on-the-fly-with-s3-object-lambda-access-points-5551117501c0" rel="noopener noreferrer">Transforming Data on the Fly with S3 Object Lambda Access Points</a></li> <li><a href="https://platform.qa.com/lab/transforming-objects-with-s3-object-lambda/" rel="noopener noreferrer">Transforming Your Data with Amazon S3 Object Lambda</a></li> <li><a href="https://aws.plainenglish.io/151-what-is-s3-object-lambda-access-point-aa341c841a7e" rel="noopener noreferrer">151)What is S3 object lambda access point?</a></li> <li><a href="https://www.bitslovers.com/object-lambda-access-point/" rel="noopener noreferrer">Object Lambda Access Point – Why you should use it</a></li> </ul> aws lambda s3 security