Developing a serverless file-encryption app using AWS Lambda, S3, and AWS CLI

AWS Lambda File Encryption App

Data security is a global issue! One that is a concern for most organizations around the world. Most organizations conduct their businesses using different digital media to convey important information and business plans. Most organizations rely on using digital documents with the Portable Digital Format (PDF) extension to store important information such as Business Proposals, Business Plans, Business Process Models (BPM), Systems Architectures, Organizational Flowchart, and other Intellectual Properties (IP) thus there is a critical need to secure this information from getting into the wrong hands or the hands of competitors.

Data encryption is one of the methods to secure data from unauthorized access and data breaches. PDF files can be secured using various data encryption methods such as transforming a non-secured PDF document to a secured document by using automated password implementation systems. When working in a large organization with a cloud environment, it is vital to have automated data encryption systems to help secure organizational data without the intervention of human processes. For instance, when a PDF file is uploaded into a specific storage marked as confidential, such data should be automatically encrypted to prevent unauthorized access to the information in the confidential storage.

In this project, we built a serverless PDF encryption solution using AWS Lambda and Amazon S3. The goal was to create an automated process that encrypts PDF files as soon as they are uploaded, ensuring that sensitive information is protected without any manual intervention.

This project showcases the simplicity and power of AWS serverless architecture. By combining AWS Lambda’s event-driven capabilities with S3’s reliable storage, we developed an efficient, hands-off approach to securing documents. Whether you’re managing client contracts, financial records, or any confidential information, this solution seamlessly integrates encryption into your cloud workflow, enhancing security without adding complexity.

Prerequisites:

You should be familiar with:

• AWS CLI — The AWS CLI should be installed on your local computer
• Amazon S3
• AWS Lambda
• Visual Studio Code or any other IDE of your choice.

Resources needed for this project:

You can get the required files from my GitHub repository here

We are going to implement a couple of tasks to accomplish the final objective of this project. The list of tasks to complete are listed below:

• Developing and deploying the application
• Configure an Amazon S3 trigger to invoke the function
• Test the application

Developing and deploying the application:

First, you will create both the source and destination s3 buckets using AWS CLI commands for S3 bucket creation by using AWS s3api calls.

The source bucket is going to be named as:

Source S3 bucket: pdf-source-bucket77

Destination S3 bucket: pdf-source-bucket77-encrypted

Creating the source S3 bucket using AWS CLI:

aws s3api create-bucket - bucket pdf-source-bucket77 - region us-west-2 \
 - create-bucket-configuration LocationConstraint=us-west-2

Creating the source S3 bucket

Creating the destination S3 bucket using AWS CLI:

aws s3api create-bucket --bucket pdf-source-bucket77-encrypted --region us-west-2 \
--create-bucket-configuration LocationConstraint=us-west-2

Creating the destination S3 bucket

Note: Your destination bucket must use the format sourcebucket-encrypted, where sourcebucket is the name of the source bucket you created.

Now, navigate to the AWS S3 console to confirm the creation of both the source and destination buckets

Source and destination S3 buckets

Create an execution role (AWS CLI)

An execution role is an IAM role that grants a Lambda function permission to access AWS services and resources. When you create a function using the Lambda console, Lambda automatically creates an execution role. You only need to create a role manually if you choose to deploy the app using the AWS CLI. To give your function read and write access to Amazon S3, you attach the AWS managed policy AmazonS3FullAccess.

First, create a trust-policy.json file containing the following IAM policy. This trust policy allows Lambda to use the role’s permissions by giving the service principal lambda.amazonaws.com permission to call the AWS Security Token Service (AWS STS) AssumeRole action.

trust-policy.json

From the directory you saved the JSON trust policy document in, run the following CLI command to create the execution role.

aws iam create-role - role-name LambdaS3Role - assume-role-policy-document file://trust-policy.json

LambdaS3Role created

Navigate the AWS IAM on the console to check for the LambdaS3Role

LambdaS3Role as seen on the AWS Console

To attach the AmazonS3FullAccess managed policy, run the following CLI command.

aws iam attach-role-policy - role-name LambdaS3Role - policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

Attaching AmazonS3FullAccess policy to LambdaS3Role

Confirm the AmazonS3FullAccess policy has been added to LambdaS3Role on the AWS console

AmazonS3FullAccess policy attached to LambdaS3Role

Next, we will proceed to create a deployment package for our AWS Lambda function.

Create the function deployment package:

To create your function, you create a deployment package containing your function code and its dependencies. For this application, your function code uses a separate library for PDF encryption.

To create the deployment package

1. Navigate to the project directory containing the lambda_function.py and requirements.txt files you created or downloaded from GitHub earlier and create a new directory named package.
2. Install the dependencies specified in the requirements.txt file in your package directory by running the following command.

pip install -r requirements.txt - target ./package/

installing dependencies for the serverless encryption app

Create a .zip file containing your application code and its dependencies. In Linux or MacOS, run the following commands from your command line interface.

cd package
zip -r ../lambda_function.zip .
cd ..
zip lambda_function.zip lambda_function.py

In Windows, use your preferred zip tool to create the lambda_function.zip file. Make sure that your lambda_function.py file and the folders containing your dependencies are all at the root of the .zip file.

Lambda_function.zip created.

Now let’s add lambda_function.py to the lambda_function.zip

cd ..
ls -ll
zip lambda_function.zip lambda_function.py

Lambda_function.py file added to lambda_function.zip

The next step is to create and deploy the lambda function using the deployment package created.

Create and deploy the Lambda function using AWS CLI:

Run the following command from the directory containing your lambda_function.zip file. For the region parameter, replace us-west-2 with the region you created your S3 buckets.

aws lambda create-function - function-name Lambda-PDF-Encryption-App \
 - zip-file fileb://lambda_function.zip - handler lambda_function.lambda_handler \
 - runtime python3.12 - timeout 15 - cli-connect-timeout 600 - memory-size 256 \
 - role arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/LambdaS3Role - region us-west-2 \
 - logging-config LogFormat=JSON

Successfully created and deployed the AWS Lambda Function

Now, you can proceed to the AWS Console to confirm the creation of the AWS Lambda function Lambda-PDF-Encryption-App.

Reviewing the AWS Lambda Function on AWS console

Now we to configure an Amazon S3 trigger to invoke the Lambda-PDF-Encryption-App

Configure an Amazon S3 trigger to invoke the function

For the Lambda function to run when a PDF file is uploaded to the pdf-source-bucket77, you need to configure a trigger for your function. You can configure the Amazon S3 trigger using either the console or the AWS CLI.

To configure the Amazon S3 trigger (AWS CLI)

For the pdf-source-bucket77 to invoke the Lambda-PDF-Encryption-App function when a pdf file is uploaded, you first need to configure permissions for the function using a resource-based policy.

aws lambda add-permission - function-name Lambda-PDF-Encryption-App \
 - principal s3.amazonaws.com - statement-id s3invoke - action "lambda:InvokeFunction" \
 - source-arn arn:aws:s3:::pdf-source-bucket77 \
 - source-account YOUR-AWS_ACCOUNT_ID

Adding S3invoke permission to the AWS Lambda function to allow the S3 source bucket to trigger the AWS Lambda function

Navigate the Lambda function configuration section and confirm the permission added:

S3invoke permission attached to the AWS Lambda Function

Review the s3invoke policy that was added:

Reviewing S3invoke policy

Next, you will configure the pdf-source-bucket77 to send a notification to the lambda function every time a new object is added.

Create a JSON configuration file named notification.json. This file will be used to configure the source S3 bucket using the AWS CLI.

Copy the JSON below to the notification.json file

{
  "LambdaFunctionConfigurations": [
    {
      "Id": "Lambda-PDF-Encryption-AppEventConfiguration",
      "LambdaFunctionArn": "arn:aws:lambda:us-west-2: YOUR-AWS_ACCOUNT_ID:function:Lambda-PDF-Encryption-App",
      "Events": [ "s3:ObjectCreated:Put" ]
    }
  ]
}

Use the AWS CLI command below to apply the JSON configuration in the notification.json file.

aws s3api put-bucket-notification-configuration - bucket pdf-source-bucket77 \
 - notification-configuration file://notification.json

Navigate to the console to review the S3 trigger added to the Lambda function

S3 event trigger setup

Testing the app

To test your app, you upload a PDF file to your source bucket, and confirm that Lambda creates an encrypted version of the file in your destination bucket. In this example, you can either test this manually using the console or the AWS CLI.

You are going to use the AWS CLI to test the app. You can use any pdf file on your local computer to test the functionality.

Before uploading any test file, first navigate to the AWS Lambda environment variables under the AWS Lambda configuration section using the AWS console then add a pdf password as an environment variable

Pass in the following variable

Key: PDF_ENCRYPTION_PASSWORD

Value: Your secret password to encrypt the pdf file.

Adding environment variables to the AWS Lambda function

Now proceed to upload a file to the AWS source bucket pdf-source-bucket77

From the directory containing the PDF file you want to upload, run the following CLI command. Replace the — bucket parameter with the name of your source bucket. For the — key and — body parameters, use the filename of your test file.

aws s3api put-object - bucket pdf-source-bucket77 - key YOUR-PDF-FILE.pdf - body ./YOUR-PDF-FILE.pdf

I am going to upload the pdf with the content below:

PDF name: AWS-Documentation.pdf

AWS-Documentation.pdf

AWS CLI command to upload the AWS-Document.pdf file to pdf-source-bucket77 on Amazon S3:

aws s3api put-object - bucket pdf-source-bucket77 - key AWS-Documentation.pdf - body ./AWS-Documentation.pdf

Uploading the test pdf file to AWS S3

Review the file upload in S3 via AWS console

test pdf successfully uploaded to AWS S3 source bucket

Checking the destination S3 bucket for any pdf file upload from the AWS Lambda invocation by the S3 source bucket put operation.

Confirming the test pdf file was encrypted and sent to the AWS S3 destination bucket

From the screenshot above, you can see that the AWS-Documentation.pdf file has now been encrypted and its name modified to AWS-Documentation_encrypted.pf

Let’s navigate to the destination S3 bucket pdf-source-bucket77-encrypted to confirm the presence of this file

Test pdf automatically uploaded to the destination S3 bucket

Let’s check the bucket properties:

test document properties review

Now let’s download the bucket and try to open it to check if the AWS Lambda encryption app will work perfectly.

Just click on the download option on the bucket page to download the encrypted PDF file then try to open the file:

Test file downloaded

The file was successfully downloaded. Next, click on the file to open it:

Test document now password protected

You can see that the AWS Lambda encryption app we developed as successfully encrypts the AWS-Documentation.pdf file with a password.

Now, you have to use the password passed into the AWS Lambda function as an environment variable to unencrypt the file.

Unlocking test pdf file with the password

Inputting the password to unencrypt the file.

Test pdf file now unlocked

Congratulations! The PDF file is now unencrypted.

Conclusion:

In this project, we successfully developed a serverless PDF encryption application using AWS Lambda and Amazon S3. The application was designed to automatically encrypt PDF files uploaded to a source S3 bucket, applying password protection and storing the encrypted files in a destination bucket.

Key highlights of the project include:

• Serverless Architecture: Utilizing AWS Lambda for on-demand execution without the need to manage underlying infrastructure.
• Automated File Processing: The app triggers the Lambda function whenever a new PDF file is uploaded to the source bucket, ensuring immediate encryption.
• Secure PDF Encryption: Each PDF is encrypted with a password, adding a layer of security for sensitive documents.
• Seamless S3 Integration: The application efficiently handles file transfers between S3 buckets, ensuring smooth upload and storage processes.

This solution demonstrates the power and flexibility of AWS serverless services, providing a robust, scalable, and secure mechanism for file encryption.

We have successfully achieved the goal of this project, showcasing the potential for using serverless architecture to automate tasks while enhancing security and reliability in cloud environments.

Thank you for walking through this AWS project with me!

Keep building!!!!