How to automatically enforce default encryption on newly S3 Bucket using terraform through AWS Lambda, SNS, Cloudwatch.

Herve Khg
2 min readJan 17, 2020

One of the main super important thing when you dive in Cloud world it’s paying huge attention to secure and monitor your infrastructure, else someday you could wake up with a bad surprise.

Enforce Encryption and Send SNS Notification

In this new post on AWS World, I will describe to you how you could simply create an autonomous system that will enforce default KMS encryption on all newly created buckets and send notifications. As usual in my post, everything will be implemented via Terraform code. I strongly recommend that you avoid working directly on the console in Production, get into the habit of doing everything via code (Cloudformation ou Terraform)

Step 1: Write the Python code of the Lambda function that will enforce encryption (

The next steps below will concern only terraform code.

Step 2: Declare all variables ( — Contain all variables

Step 3: Create a policy document for lambda function ( — Contain JSON Policy Document

Step 4: Create policy an attach to a role ( — Attach Policy Document to Policy

Step 5: Create a lambda function and its role

I did not describe the steps on how to deploy the lambda function code artifact on S3 because it’s not the aim of this post. (Maybe in the future I will write a specific post that will describe how to lambda artifact on S3 through a CI/CD pipeline with Gitlab).

In our example have deployed the lamda code artifact on existing Bucket with the name and its python dependencies in another zip file named — Deploy Lambda function and requirements

Step 6: Create Cloudwatch Event Rule

The code below creates a Cloudwatch Event that will trap all “CreateBucket” event and then trigger the Lambda and SNS.

Step 7: Create Cloudwatch Event target for executing Lambda

This code creates the Cloudwatch Event target that will process Lambda

Step 8: Create Cloudwatch Event target for sending SNS Notifications

This code creates the Cloudwatch Event target that will send Notification. It’s almost the same as the previous step, just the arn of the target that changes.

Step 9: Deploy the code.

Finally, you just need to execute the terraform code in order to check and apply modifications.

Enjoy your work…



Herve Khg

Multi Cloud (Azure/ AWS) Systems/Devops Engineer in France.