Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
serverless-plugin-existing-s3
Advanced tools
Attach Lambda events to an existing S3 bucket, for Serverless.com 1.11.0+.
Overcomes the CloudFormation limitation on attaching an event to an uncontrolled bucket, for Serverless.com 1.11.0+. See this stackoverflow issue for more information.
1. NPM dependency Looking to eliminate this step, as it will place the dependency within your deployed code.
> npm install serverless-plugin-existing-s3
Declare the plugin in your serverless.yml
plugins:
- serverless-plugin-existing-s3
2. Give your deploy permission to access the bucket. The BUCKET_NAME variable within provider.iamRoleStatements.Resource.Fn::Join needs to be replaced with the name of the bucket you want to attach your event(s) to. If there are multiple buckets you want to attach events to add a new item for each bucket.
provider:
name: aws
runtime: nodejs4.3
iamRoleStatements:
...
- Effect: "Allow"
Action:
- "s3:PutBucketNotification"
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::BUCKET_NAME or *"
3. Attach an event to your target function. Add an -existingS3 event definition under 'events' of your function declaration. The 'events' value is optional under your -existingS3 event and if omitted, it will default to a single entry for "s3:ObjectCreated:*".
The rules property is optional and can contain either a prefix, suffix or both of these properties as a rule for when the event will trigger.
Note: The bucketEvents and eventRules attributes introduced in 1.0.1 will still work, but will likely be deprecated in the future.
functions:
someFunction:
handler: index.handler
events:
- existingS3:
bucket: BUCKET_NAME
events:
- s3:ObjectCreated:*
rules:
- prefix: images/
- suffix: .jpg
Run the command.
I could not figure out how to hook into the existing deploy behaviors built into Serverless.com's deploy command. So as a result you have to run a separate command AFTER you do sls deploy
.
> sls deploy
Serverless: Zipping service...
Serverless: Uploading CloudFormation file to S3...
Serverless: Removing old service versions...
Serverless: Uploading .zip file to S3...
Serverless: Updating Stack...
Serverless: Checking stack update progress...
..
Serverless: Deployment successful!
Service Information
service: service-name
stage: stage
region: region
endpoints:
None
functions:
someFunction: arn:aws:lambda:region:accountid:function:service-name-stage-someFunction
> sls s3deploy
Attaching event(s) to: someFunction
Done.
The only one I see, and quite regularly during my testing, is a result of having the wrong bucket name configured in the serverless.yml, either in the IAM configuration providing permissions or in the function definition where I'm attaching the event. Make sure your bucket names are right.
If you are really stuck, open an issue at https://github.com/matt-filion/serverless-external-s3-event/issues
You can run test by running
yarn install
yarn test
FAQs
Attach Lambda events to an existing S3 bucket, for Serverless.com 1.11.0+.
The npm package serverless-plugin-existing-s3 receives a total of 3,920 weekly downloads. As such, serverless-plugin-existing-s3 popularity was classified as popular.
We found that serverless-plugin-existing-s3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.