I uploaded a file to S3, expecting a Lambda function to trigger automatically and process the file. I checked the Lambda console, looked at CloudWatch logs, and found… nothing. No invocations, no errors, just silence. After digging through IAM policies and S3 notification configurations, I discovered the issue wasn’t a bug—it was a missing permission and a configuration mismatch. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
You’ve configured S3 event notifications to trigger a Lambda function when objects are uploaded, but files appear in the bucket and the function never runs. No errors in the S3 console, no failed invocations in Lambda logs.
| Error Type | Description |
|---|---|
| No Invocation | Lambda function never executes. CloudWatch logs show no invocation record. |
| Access Denied | S3 attempted to invoke Lambda but received a permission error (hidden by default). |
| Configuration Mismatch | Event type or prefix doesn’t match the objects being uploaded. |
Why Does This Happen?
- Lambda resource-based policy missing — S3 needs explicit permission to invoke the Lambda function. The permission must grant
lambda:InvokeFunctionto the principals3.amazonaws.comfor your specific bucket. - Wrong Lambda ARN in notification config — The S3 notification references an old function version, alias, or wrong region. If the ARN doesn’t exist or points to the wrong function, S3 has nowhere to send the event.
- Event type filter too specific — You configured the notification to listen for
s3:ObjectCreated:Put, but objects are being uploaded via multipart upload (s3:ObjectCreated:CompleteMultipartUpload) or another method that doesn’t match. - Prefix or suffix filter excludes the object — The notification rule filters on a prefix like
/uploads/but the object is in/archive/. The rule silently ignores objects that don’t match.
The Fix
Step 1: Verify Lambda Permissions
Check if the Lambda function has permission for S3 to invoke it:
aws lambda get-policy --function-name MyFunction
If you see an error or no policy, the permission is missing. Add it:
aws lambda add-permission \
--function-name MyFunction \
--statement-id s3-trigger \
--action lambda:InvokeFunction \
--principal s3.amazonaws.com \
--source-arn arn:aws:s3:::my-bucket \
--source-account 123456789012
Replace 123456789012 with your AWS account ID and my-bucket with your bucket name.
Step 2: Verify S3 Notification Configuration
Check the current notification configuration:
aws s3api get-bucket-notification-configuration --bucket my-bucket
Look for LambdaFunctionConfigurations. Verify:
LambdaFunctionArnis correct (useaws lambda get-function --function-name MyFunctionto get it)Eventsincludes the event types matching your uploads (typicallys3:ObjectCreated:*for all create operations)Filterprefix/suffix doesn’t exclude your objects
Step 3: Update or Create Notification Configuration
If the configuration is missing or wrong, create it:
cat > notification-config.json <<EOF
{
"LambdaFunctionConfigurations": [
{
"LambdaFunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
"Events": ["s3:ObjectCreated:*"],
"Filter": {
"Key": {
"FilterRules": [
{
"Name": "prefix",
"Value": "uploads/"
}
]
}
}
}
]
}
EOF
aws s3api put-bucket-notification-configuration \
--bucket my-bucket \
--notification-configuration file://notification-config.json
Step 4: Test the Configuration
Upload a test file to the bucket and check if Lambda is invoked:
# Upload a test file
echo "test content" > testfile.txt
aws s3 cp testfile.txt s3://my-bucket/uploads/testfile.txt
# Check Lambda CloudWatch logs
aws logs tail /aws/lambda/MyFunction --follow
How to Run This
- Replace
MyFunctionwith your actual Lambda function name - Replace
my-bucketwith your bucket name - Replace the account ID with your AWS account ID
- Run the commands in order: check permissions first, then verify the notification config
- Upload a test file and watch the logs to confirm the function is triggered
Is This Safe?
Allowing S3 to invoke Lambda is safe—it’s scoped to your specific bucket and function. The source-arn parameter restricts the permission to that bucket only. For production, use a specific prefix filter to avoid processing unexpected object types.
Key Takeaway
S3 event notifications fail silently when the Lambda resource policy is missing or the configuration doesn’t match your object paths. Always verify the permission exists and test with a sample object to confirm the setup works.
Have questions or ran into a different S3 issue? Connect with me on LinkedIn or X.