Skip to main content

Privacera Documentation

Control access to S3 buckets with AWS Lambda function

You can control access to your S3 buckets with a Lambda function to protect them from unauthorized use.

To secure a bucket, you can create a Python function that creates an S3 client to check for proper authorization to access that bucket. If authorization is successful, the desired document is passed to the Privacera dataserver to give the requesting user the access.

A sample Lambda function is provided here.

Prerequisites

You need to make sure of the following:

  • Your Privacera connection to S3 must have already been created.

  • Decide which S3 buckets you want to protect.

  • An S3 policy has been set in Privacera. See Configure access policies for AWS services on Privacera Platform.

  • You need your Privacera access key, secret key, and Privacera datatserver URL.

  • If your Privacera dataserver uses a self-signed SSL certificate, the dataserver requires SSL validation. You need the absolute path to that dataserver SSL certificate when you create S3 client. The example program provided here shows this absolute path as the variable certificate_path='/tmp/cert.pem'.

Get your access key, secret key, and value of PRIVACERA_DS_ENDPOINT_URL

To get the the values for the access key and secret key, see Generate Privacera token.

For the value of the PRIVACERA_DS_ENDPOINT_URL variable used in the example program:

  • Go to Launch Pad.

  • Under the heading HTTP Proxy Setting, copy the value displayed for Host.

Create Python Lambda function in AWS

The Lambda function needs to create an S3 client object with the Privacera dataserver URL as an endpoint URL for S3 with privacera access key and secret key generated for respective user.

The following example program shows the a sample lambda_handler() function to control access to an array of S3 buckets. You can modify this example or create your own based on it.

To create this program in AWS:
  1. Follow Amazon's steps to create a Lambda function. See Getting started with Lambda.

  2. Call the function priv_list_bucket.

  3. In the Create function dashboard, select Author from scratch, and use the following values in creating the function's Basic information:

    • Function name: priv_list_bucket
    • Runtime: python 3.7
    • Architecture: x86_64
  4. In Permissions, for Execution role, select Use an existing role for the Lambda function. This role must have permissions to execute Lambda functions. Example: AWS_Default_Role.

  5. In the displayed priv_list_bucket function dashboard, in the Code source code field, add your Lambda function in lambda_function.py . You can use the example program or your own implementation of it.

  6. In the Runtime settings, the Function name should be <python_filename>.<function_name>.

    In our example, we use lambda_function.lambda_handler.

  7. To create a new test with an empty JSON input, click Test and Save.

  8. If you see the message Changes not deployed for the test created in the previous step, click Deploy.

  9. Click Test again.

The result of the test is displayed.

Example Python Lambda for Privacera Platform

If your Privacera dataserver uses a self-signed SSL certificate, the dataserver requires SSL validation. You need the absolute path to that dataserver SSL certificate when you create S3 client. The example program provided here shows this absolute path as the variable certificate_path='/tmp/cert.pem'.

import boto3
import os
import requests

# Set these variables with the values you
# obtained in the prerequisites.
PRIVACERA_DS_ENDPOINT_URL = ''
PRIVACERA_ACCESS_KEY = ''
PRIVACERA_SECRET_ACCESS_KEY = ''
    
def lambda_handler(event, context):

# Use the following code block
# if your Privacera dataserver
# relies on a self-signed SSL certificate.
# The value of the following variable must be
# the absolute path to that certificate.
  certificate_path='/tmp/cert.pem' 
  certificate_url=PRIVACERA_DS_ENDPOINT_URL+'/services/certificate'
  headers = {
    'connection': 'close',
  }
  response = requests.get(certificate_url, headers=headers, verify=False)
  with open(certificate_path, 'wb') as f:
    f.write(response.content)

  session = boto3.session.Session()
  s3_client = session.client(
      service_name='s3',
      aws_access_key_id=PRIVACERA_ACCESS_KEY,
      aws_secret_access_key=PRIVACERA_SECRET_ACCESS_KEY,
      endpoint_url=PRIVACERA_DS_ENDPOINT_URL,
      verify=certificate_path
    )
  allBuckets = s3_client.list_buckets()
  data = [bucket["Name"] for bucket in allBuckets['Buckets']]
  return data

Prerequisites

You need to make sure of the following:

Get your access key, secret key, and value of PRIVACERA_DS_ENDPOINT_URL

The values for access key, secret key, and the dataserver URL are included in the privacera_aws.sh script, which is downloadable as detailed in Get your access key, secret key, and value of PRIVACERA_DS_ENDPOINT_URL.

In that script, use the value of the DS_URL_HOST variable as the value of the PRIVACERA_DS_ENDPOINT_URL variable in the Python Lambda function listed in Get your access key, secret key, and value of PRIVACERA_DS_ENDPOINT_URL.

Create Python Lambda function in AWS

The Lambda function needs to create an S3 client object with the Privacera dataserver URL as an endpoint URL for S3 with privacera access key and secret key generated for respective user.

The following example program shows the a sample lambda_handler() function to control access to an array of S3 buckets. You can modify this example or create your own based on it.

To create this program in AWS:
  1. Follow Amazon's steps to create a Lambda function. See Getting started with Lambda.

  2. Call the function priv_list_bucket.

  3. In the Create function dashboard, select Author from scratch, and use the following values in creating the function's Basic information:

    • Function name: priv_list_bucket
    • Runtime: python 3.7
    • Architecture: x86_64
  4. In Permissions, for Execution role, select Use an existing role for the Lambda function. This role must have permissions to execute Lambda functions. Example: AWS_Default_Role.

  5. In the displayed priv_list_bucket function dashboard, in the Code source code field, add your Lambda function in lambda_function.py . You can use the example program or your own implementation of it.

  6. In the Runtime settings, the Function name should be <python_filename>.<function_name>.

    In our example, we use lambda_function.lambda_handler.

  7. To create a new test with an empty JSON input, click Test and Save.

  8. If you see the message Changes not deployed for the test created in the previous step, click Deploy.

  9. Click Test again.

The result of the test is displayed.

Example Python Lambda for PrivaceraCloud

import boto3
import os
import requests

# Set these variables with the values you
# obtained in the prerequisites.
PRIVACERA_DS_ENDPOINT_URL = ''
PRIVACERA_ACCESS_KEY =''
PRIVACERA_SECRET_ACCESS_KEY = ''
    
def lambda_handler(event, context):

  session = boto3.session.Session()
  s3_client = session.client(
      service_name='s3',
      aws_access_key_id=PRIVACERA_ACCESS_KEY,
      aws_secret_access_key=PRIVACERA_SECRET_ACCESS_KEY,
      endpoint_url=PRIVACERA_DS_ENDPOINT_URL
    )
  allBuckets = s3_client.list_buckets()
  data = [bucket["Name"] for bucket in allBuckets['Buckets']]
  return data