This chapter covers S3 Event Notifications and S3 Object Lambda, two powerful features for building event-driven architectures and transforming data on the fly in Amazon S3. For the DVA-C02 exam, these topics appear in roughly 5-8% of questions, often integrated with Lambda, SQS, SNS, and IAM policies. Mastering them is essential for designing scalable, serverless applications that react to data changes or customize data delivery without additional storage costs.
Jump to a section
Imagine a large corporate mailroom that receives thousands of packages daily. Each package has a destination department and a specific action required (e.g., 'Accounts Payable – Invoice'). The mailroom has a sorting machine that scans each package's label and, based on predefined rules, routes it to the correct department's conveyor belt. However, some packages need a special transformation before delivery—like converting a heavy box into a lightweight envelope. For those, the machine triggers a separate 'transformation unit' that opens the box, extracts the contents, repackages them, and then forwards the new package to the destination. In this analogy, S3 is the mailroom receiving objects (packages). S3 Event Notifications are the sorting machine: when an object is created or modified, the notification is sent to a destination (like an SQS queue, SNS topic, or Lambda function) as configured in the event notification rules. S3 Object Lambda is the transformation unit: it intercepts the object retrieval request, calls a Lambda function to modify the object on the fly (e.g., resizing images, redacting data), and returns the transformed object to the requester, all without storing the modified version in S3.
What Are S3 Event Notifications?
S3 Event Notifications allow you to trigger actions automatically when specific events occur in an S3 bucket. Supported event types include:
- s3:ObjectCreated:* (all create events)
- s3:ObjectCreated:Put
- s3:ObjectCreated:Post
- s3:ObjectCreated:Copy
- s3:ObjectCreated:CompleteMultipartUpload
- s3:ObjectRemoved:* (all delete events)
- s3:ObjectRemoved:Delete
- s3:ObjectRemoved:DeleteMarkerCreated
- s3:ObjectRestore:* (restore events)
- s3:ObjectRestore:Post
- s3:ObjectRestore:Completed
- s3:ReducedRedundancyLostObject (for RRS)
- s3:Replication:* (replication events)
- s3:LifecycleExpiration:*
- s3:LifecycleExpiration:Delete
- s3:LifecycleExpiration:DeleteMarkerCreated
- s3:LifecycleTransition
- s3:IntelligentTiering
- s3:ObjectTagging:*
- s3:ObjectTagging:Put
- s3:ObjectTagging:Delete
- s3:ObjectAcl:Put
Notifications can be delivered to: - Amazon Simple Notification Service (SNS) – fan out to multiple subscribers. - Amazon Simple Queue Service (SQS) – decouple processing with a queue. - AWS Lambda – invoke a function directly. - Amazon EventBridge – for advanced routing and filtering (via S3 on EventBridge).
Key configuration details: - Notifications are configured at the bucket level, with optional prefix and suffix filters. - You can have up to 100 notification configurations per bucket (each configuration can have multiple event types and destinations). - The destination resource (SQS queue, SNS topic, Lambda function) must have a resource-based policy that allows S3 to publish to it. - Notifications are typically delivered within seconds, but there is no SLA on delivery time. - If the destination is unavailable, S3 will retry for up to 24 hours, then discard the notification.
How it works internally: 1. An object event occurs (e.g., PUT). 2. S3 evaluates all notification configurations for the bucket. 3. For matching configurations (based on event type, prefix, suffix), S3 publishes a JSON message to the destination. 4. The message includes details like bucket name, object key, event name, size, etag, and version ID.
Example notification message (to SQS/SNS):
{
"Records": [
{
"eventVersion": "2.1",
"eventSource": "aws:s3",
"awsRegion": "us-east-1",
"eventName": "ObjectCreated:Put",
"s3": {
"s3SchemaVersion": "1.0",
"bucket": {
"name": "my-bucket",
"arn": "arn:aws:s3:::my-bucket"
},
"object": {
"key": "images/photo.jpg",
"size": 1024,
"eTag": "d41d8cd98f00b204e9800998ecf8427e",
"versionId": "abc123",
"sequencer": "0055AED6DCD90281E5"
}
}
}
]
}For Lambda invocation, the event structure is similar but wrapped in a Lambda event.
Common use cases: - Automatically trigger a Lambda function to resize uploaded images. - Send a notification to an SNS topic when a new file is added to process orders. - Enqueue messages to SQS for asynchronous processing.
S3 Event Notifications vs. EventBridge
AWS now recommends using Amazon EventBridge for advanced event-driven patterns. S3 can send events directly to EventBridge (enable S3 on EventBridge at the bucket level). EventBridge provides:
More destinations (Step Functions, Kinesis, etc.)
Content-based filtering (by object size, metadata, etc.)
Schema registry
Archive and replay capabilities
Exam tip: If the question mentions filtering by object metadata or size, or using multiple destinations, think EventBridge. If it's a simple notification to Lambda/SQS/SNS, S3 Event Notifications suffice.
What Is S3 Object Lambda?
S3 Object Lambda allows you to add custom code to modify the data returned by standard S3 GET, HEAD, and LIST requests. You define a Lambda function that transforms the object on the fly, and clients access the transformed data via a special S3 Object Lambda Access Point. The original object remains unchanged in S3.
Key components:
- S3 Object Lambda Access Point: A special type of access point that is associated with a Lambda function and a supporting access point.
- Supporting Access Point: A standard S3 access point that points to the bucket.
- Lambda function: The transformation code that receives the original object (or its S3 reference) and returns the transformed version.
- S3 Object Lambda alias: A DNS name (e.g., my-access-point-123456789012.s3-object-lambda.us-east-1.amazonaws.com) used by clients.
How it works: 1. Client sends a GET request to the Object Lambda Access Point URL. 2. S3 Object Lambda invokes the associated Lambda function, passing an event with details about the request and a pre-signed URL to fetch the original object. 3. The Lambda function can:
- Fetch the original object using the pre-signed URL. - Transform it (e.g., resize, redact, compress, convert format). - Return the transformed object to S3 Object Lambda. 4. S3 Object Lambda returns the transformed object to the client.
Example Lambda event (simplified):
{
"xAmzRequestId": "request-id",
"getObjectContext": {
"inputS3Url": "https://s3.amazonaws.com/...",
"outputRoute": "...",
"outputToken": "..."
},
"configuration": {
"accessPointArn": "arn:aws:s3-object-lambda:us-east-1:123456789012:accesspoint/my-ap",
"supportingAccessPointArn": "arn:aws:s3:us-east-1:123456789012:accesspoint/my-supporting-ap",
"payload": "{}"
},
"userRequest": {
"url": "https://my-ap-123456789012.s3-object-lambda.us-east-1.amazonaws.com/key",
"headers": { "Host": "...", "Accept": "*/*" }
},
"userIdentity": { "type": "AssumedRole", "arn": "..." },
"protocolVersion": "1.00"
}Key Lambda function requirements:
- The function must call WriteGetObjectResponse API to send the transformed object back.
- It can also read the original object using the provided inputS3Url (pre-signed URL).
- The function must handle errors gracefully; if it fails, S3 Object Lambda returns an error to the client.
- The function can be written in any Lambda-supported runtime.
- The function must have IAM permissions to call s3-object-lambda:WriteGetObjectResponse.
Use cases: - Redacting personally identifiable information (PII) from documents. - Resizing images on the fly based on query parameters. - Converting file formats (e.g., .doc to .pdf). - Watermarking or adding annotations. - Compressing large files before download.
Performance considerations: - Lambda execution time adds to the request latency. For large objects, consider streaming responses (if supported by the runtime). - Lambda concurrency limits can throttle requests; use reserved concurrency if needed. - S3 Object Lambda supports payload sizes up to 5 GB (for transformed object). - The original object size can be up to 5 GB as well.
Pricing: - You pay for S3 Object Lambda requests and data transfer. - Standard S3 GET requests are not charged when using Object Lambda (the access point handles the request). - Lambda execution time and data transfer costs apply.
Interaction Between Event Notifications and Object Lambda
These two features can be combined: Event Notifications can trigger Lambda functions that update metadata or trigger downstream processing, while Object Lambda transforms data at read time. For example:
An image is uploaded -> Event Notification triggers a Lambda that creates a thumbnail in another bucket.
A client requests the original image via Object Lambda, which resizes it based on query parameters.
IAM Policies for S3 Object Lambda
To use Object Lambda, you need:
1. Lambda function execution role with permissions to:
- s3-object-lambda:WriteGetObjectResponse
- s3:GetObject on the supporting access point (if fetching original object via SDK)
2. Client IAM policy to allow s3:GetObject on the Object Lambda Access Point ARN.
3. Bucket policy to allow the supporting access point to read objects (if bucket is not public).
Configuration Steps (CLI Example)
Create a supporting access point:
aws s3control create-access-point --bucket my-bucket --name my-supporting-ap --account-id 123456789012Create the Lambda function (with the WriteGetObjectResponse call).
Create the Object Lambda Access Point:
aws s3control create-access-point-for-object-lambda \
--account-id 123456789012 \
--name my-object-lambda-ap \
--configuration "{SupportingAccessPoint: arn:aws:s3:us-east-1:123456789012:accesspoint/my-supporting-ap, CloudWatchMetricsEnabled: true, AllowedFeatures: [GetObject-Range, GetObject-PartNumber], TransformationConfigurations: [{Actions: [GetObject], ContentTransformation: {AwsLambda: {FunctionArn: arn:aws:lambda:us-east-1:123456789012:function:my-function, FunctionPayload: '{}'}}}]}"Grant Lambda permissions to the Object Lambda Access Point (via resource-based policy).
Configure S3 Event Notification
Navigate to the S3 bucket in the AWS Management Console, go to the Properties tab, and under Event Notifications, create a new notification. Select the event types (e.g., s3:ObjectCreated:Put), optionally specify a prefix (e.g., 'images/') and suffix (e.g., '.jpg'), and choose the destination: SQS queue, SNS topic, or Lambda function. The destination must have a resource-based policy that allows S3 to publish to it. For example, an SQS queue policy must include a statement with Principal: 's3.amazonaws.com' and Action: 'sqs:SendMessage'.
Test the Notification
Upload an object to the bucket that matches the prefix/suffix filter. Verify that the notification is delivered by checking the destination: for SQS, poll the queue for messages; for SNS, check the topic subscription; for Lambda, check the CloudWatch Logs for the function invocation. The notification message contains details such as bucket name, object key, event name, and object size. If the destination is not receiving messages, check the resource-based policy and ensure the S3 service principal has permissions.
Create Supporting Access Point
For S3 Object Lambda, first create a standard S3 access point that points to your bucket. Use the AWS CLI or console. The access point ARN will be used in the Object Lambda Access Point configuration. Ensure the bucket policy allows the access point to read objects. For example, a bucket policy statement can grant 's3:GetObject' to the access point ARN. The supporting access point can have its own network origin (Internet or VPC) and block public access settings.
Deploy Lambda Function for Transformation
Write a Lambda function that receives the S3 Object Lambda event, fetches the original object using the pre-signed URL from 'inputS3Url', transforms it (e.g., resize image using Pillow library), and calls the 'WriteGetObjectResponse' API to return the transformed object. The function must have IAM permissions for 's3-object-lambda:WriteGetObjectResponse'. Test the function with a sample event. Ensure the function timeout is adequate for the transformation (default 3 seconds, but may need up to 15 minutes for large objects).
Create Object Lambda Access Point
Create an Object Lambda Access Point, specifying the supporting access point ARN and the Lambda function ARN. You can also configure allowed features like GetObject-Range and GetObject-PartNumber. The Object Lambda Access Point will have a unique DNS name. Clients use this endpoint to retrieve transformed objects. After creation, you can test by sending a GET request via the endpoint (e.g., using curl). The Lambda function will be invoked, and the transformed object will be returned.
Scenario 1: Image Processing Pipeline
A social media platform allows users to upload high-resolution profile pictures. When a user uploads an image, S3 Event Notification triggers a Lambda function that creates three resized versions (thumbnail, small, medium) and stores them in separate prefixes. This is configured with an event notification on the 'uploads/' prefix for 's3:ObjectCreated:Put'. The Lambda function uses the Pillow library to resize and writes to the same bucket under 'thumbnails/', 'small/', and 'medium/'. The destination is a Lambda function. The bucket policy allows the function's execution role to put objects. Common issues: if the Lambda fails due to timeouts (default 3 seconds), increase timeout to 30 seconds. Also, ensure the function has enough memory (e.g., 1024 MB) for image processing.
Scenario 2: PII Redaction for Compliance
A healthcare company stores patient records in S3. When a doctor retrieves a document, S3 Object Lambda invokes a Lambda function that redacts sensitive fields like Social Security numbers and patient names using regular expressions, then returns the redacted PDF. The supporting access point is configured to allow only VPC access for security. The Lambda function uses PyMuPDF to modify the PDF. Performance: each request adds ~500ms for redaction. To handle high concurrency, the Lambda function is configured with reserved concurrency of 100. The Object Lambda Access Point is integrated with AWS CloudTrail for audit logging. Misconfiguration: if the Lambda function fails to call WriteGetObjectResponse, the client receives a 500 error. Ensure the function has proper error handling.
Scenario 3: Dynamic Watermarking for Media
A stock photo website uses S3 Object Lambda to add watermarks to images on-the-fly based on the user's subscription level. The client passes a 'watermark=true' query parameter. The Lambda function checks the user identity from the request headers, then either adds a watermark or returns the original image. The Object Lambda Access Point is configured with AllowedFeatures: ['GetObject-Range'] to support range requests for partial downloads. The Lambda function uses the AWS SDK to call WriteGetObjectResponse with the modified image. If the function is misconfigured (e.g., missing IAM permissions), clients get an access denied error. At scale, Lambda concurrency limits can cause throttling; use provisioned concurrency for predictable performance.
DVA-C02 Objective Coverage: - Domain 1: Development with AWS Services - Objective 1.4: Implement event-driven architectures - Subtopic: S3 Event Notifications and S3 Object Lambda
The exam tests your ability to choose the correct service for event-driven processing and understand the mechanics of S3 Object Lambda.
Common Wrong Answers: 1. Using SQS instead of SNS for fan-out: Candidates often choose SQS when they need to broadcast to multiple consumers. But SQS is a pull-based queue; for fan-out, SNS is correct because it pushes to multiple subscribers. The exam may ask: 'Which service should be used to send S3 event notifications to multiple Lambda functions?' Answer: SNS topic, with each Lambda subscribed. 2. Assuming S3 Object Lambda stores the transformed object: Many think Object Lambda creates a new object in S3. In reality, it transforms on-the-fly without storing. The exam might ask: 'How can you return a resized image without storing it?' Answer: S3 Object Lambda. 3. Confusing supporting access point with Object Lambda access point: Candidates might try to use the standard access point URL for transformed data. The correct endpoint is the Object Lambda Access Point URL. The exam may present a scenario where a client is getting the original object instead of the transformed one because they used the wrong endpoint. 4. Forgetting resource-based policies: A common mistake is not configuring the SQS queue policy to allow S3 to send messages. The exam may ask: 'Why is the Lambda function not being triggered by S3 events?' Answer: The SQS queue policy does not grant s3.amazonaws.com permission to send messages.
Specific Numbers and Terms: - Maximum 100 notification configurations per bucket. - Event types: s3:ObjectCreated:Put, s3:ObjectCreated:Post, s3:ObjectCreated:Copy, s3:ObjectCreated:CompleteMultipartUpload, s3:ObjectRemoved:Delete, s3:ObjectRemoved:DeleteMarkerCreated. - Destination services: SNS, SQS, Lambda, EventBridge. - S3 Object Lambda supports up to 5 GB payload. - Lambda function must call WriteGetObjectResponse API. - Object Lambda Access Point ARN format: arn:aws:s3-object-lambda:region:account-id:accesspoint/name.
Edge Cases: - If the Lambda function in Object Lambda fails, the client gets an error (e.g., 500 Internal Server Error). - Event notifications for versioned buckets: each version creates a separate event. - If a notification destination is deleted, S3 continues to retry for up to 24 hours, then silently drops. - S3 Object Lambda does not support all S3 features; e.g., it does not support multipart uploads or presigned URLs for the Object Lambda endpoint (clients must use the Object Lambda Access Point directly).
How to Eliminate Wrong Answers: - If the question involves transforming data on read without storing, eliminate options like Lambda@Edge or API Gateway; the correct answer is S3 Object Lambda. - If the question mentions 'filter by object metadata', EventBridge is the better choice over standard S3 notifications. - If the question asks about 'decoupling' and 'buffering', SQS is the right destination; if 'broadcasting', SNS.
S3 Event Notifications can be sent to SQS, SNS, Lambda, or EventBridge; maximum 100 configurations per bucket.
Event notifications are at-least-once; design idempotent consumers.
S3 Object Lambda transforms data on read without storing the modified object.
Object Lambda requires a supporting access point and a Lambda function that calls WriteGetObjectResponse.
Object Lambda supports GET, HEAD, and LIST requests only; not PUT or DELETE.
For advanced filtering (by metadata, size, etc.), use EventBridge instead of standard notifications.
Lambda function for Object Lambda must have s3-object-lambda:WriteGetObjectResponse permission.
S3 Object Lambda payload size limit is 5 GB for the transformed object.
If the Object Lambda function fails, the client receives a 500 error.
Event notifications for versioned buckets generate events for each version created.
These come up on the exam all the time. Here's how to tell them apart.
S3 Event Notifications
Configured directly on the S3 bucket.
Supports only four destinations: SQS, SNS, Lambda, EventBridge.
No content-based filtering; only prefix/suffix and event type.
No archive or replay capability.
Simpler to set up for basic use cases.
Amazon EventBridge
Requires enabling S3 on EventBridge at the bucket level.
Supports many destinations: Lambda, SQS, SNS, Step Functions, Kinesis, etc.
Allows content-based filtering using event patterns (e.g., by object size, metadata).
Supports event archiving and replay.
Better for complex event-driven architectures.
S3 Object Lambda
Transforms data retrieved from S3 only.
Runs in the same region as the S3 bucket.
Supports up to 5 GB payload.
Can modify the object content arbitrarily.
Invoked per GET/HEAD/LIST request.
Lambda@Edge
Runs at CloudFront edge locations.
Can modify requests/responses for any origin (not just S3).
Payload limit is 1 MB for viewer request/response, 30 MB for origin request/response.
Can add authentication headers, redirects, etc.
Invoked per CloudFront request.
Mistake
S3 Event Notifications guarantee delivery exactly once.
Correct
S3 Event Notifications are typically delivered at least once, but duplicates can occur. There is no exactly-once guarantee. Applications should be idempotent.
Mistake
S3 Object Lambda stores the transformed object in the bucket.
Correct
S3 Object Lambda does not store the transformed object. It modifies the data on the fly and returns it to the requester. The original object remains unchanged.
Mistake
You can use the same Lambda function for both Event Notification and Object Lambda without changes.
Correct
The event structures are different. Event Notification sends an S3 event with bucket/object info. Object Lambda sends a custom event with a pre-signed URL. The Lambda function must be written to handle the specific event format and call WriteGetObjectResponse for Object Lambda.
Mistake
S3 Object Lambda works with any S3 request, including PUT and DELETE.
Correct
S3 Object Lambda only intercepts GET, HEAD, and LIST requests. PUT and DELETE requests go directly to the supporting access point, bypassing the transformation.
Mistake
Event Notifications can be configured at the object level.
Correct
Event Notifications are configured at the bucket level, not individual objects. However, you can use prefix and suffix filters to narrow down which objects trigger notifications.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but the notification is generated in the source bucket region. If you need to trigger actions in the destination region, you must set up separate notifications on the destination bucket. Note that replication events (s3:Replication:*) can also trigger notifications when objects are replicated.
S3 Event Notifications are real-time (or near-real-time) triggers when events occur. S3 Inventory is a scheduled report (daily or weekly) that lists all objects in a bucket. Use notifications for immediate processing; use inventory for auditing or batch processing.
Since notifications are at-least-once, duplicates can occur. Use idempotent consumers: for example, use a DynamoDB table to track processed object keys, or use SQS FIFO queues with deduplication IDs based on the event sequencer field.
Yes, but the Lambda function must have permission to decrypt the object via KMS. The pre-signed URL provided to the function includes the necessary KMS context, but the function's execution role must have kms:Decrypt permission.
If the Lambda function times out, S3 Object Lambda returns an error to the client (typically 500 Internal Server Error). Increase the Lambda timeout (up to 15 minutes) to accommodate the transformation time.
Yes, you can set CloudFront as the client and point it to the Object Lambda Access Point as the origin. However, CloudFront will cache the transformed object based on the cache policy. If the transformation depends on the requester (e.g., watermarking), you must configure CloudFront to forward headers that differentiate users.
You can use Amazon CloudWatch metrics for the destination services (e.g., SQS queue depth, Lambda invocations). S3 also publishes metrics for notification failures (e.g., NumberOfNotificationMessagesFailed). Enable S3 server access logs or AWS CloudTrail for detailed event history.
You've just covered S3 Event Notifications and S3 Object Lambda — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?