Skip to content

New serverless pattern - lambda-s3-files-cdk#3075

Open
NithinChandranR-AWS wants to merge 3 commits intoaws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-lambda-s3-files-cdk
Open

New serverless pattern - lambda-s3-files-cdk#3075
NithinChandranR-AWS wants to merge 3 commits intoaws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-lambda-s3-files-cdk

Conversation

@NithinChandranR-AWS
Copy link
Copy Markdown

New Serverless Pattern: Lambda with Amazon S3 Files Mount

Description

Deploys a Lambda function with an Amazon S3 Files file system mounted at /mnt/s3data, enabling standard file operations (read, write, list) on S3 data without downloading objects. Uses Amazon S3 Files (GA April 2026).

Architecture

┌──────────┐     ┌──────────────────────────┐
│ S3 Bucket│◄───►│  S3 Files FileSystem     │
└──────────┘     └────────────┬─────────────┘
                              │ NFS (port 2049)
                 ┌────────────┴─────────────┐
                 │           VPC            │
                 │  Mount Target (AZ-1)     │
                 │  Mount Target (AZ-2)     │
                 │       ▲                  │
                 │  Lambda /mnt/s3data      │
                 └──────────────────────────┘

Key Features

  • S3 Files FileSystem + MountTargets + AccessPoint (L1 constructs — no L2 yet)
  • VPC with 2 AZs, security group for NFS traffic (port 2049)
  • Lambda reads/writes/lists files via standard Node.js fs module
  • Bidirectional sync between S3 bucket and mounted filesystem
  • Sub-millisecond latency on actively used data
  • POSIX user identity (UID/GID 1000) via AccessPoint

Framework / Language

  • AWS CDK (TypeScript)
  • Lambda: Node.js 22.x

Deployment & Testing

  • Deployed and tested successfully on AWS
  • Write ✅ Read ✅ List ✅ S3 Sync ✅ (all verified)

Files

File Purpose
lib/lambda-s3-files-stack.ts CDK stack (VPC, S3 Files, Lambda)
src/index.js Lambda handler (read/write/list)
example-pattern.json Serverless Land metadata

Deploy a Lambda function with an Amazon S3 Files file system mounted
as a local directory, enabling standard file operations on S3 data
without downloading objects.

Key features:
- S3 Files FileSystem with NFS mount on Lambda at /mnt/s3data
- VPC with 2 AZs, mount targets, and access point (L1 constructs)
- Security group for NFS traffic (port 2049)
- Read, write, and list operations via standard fs module
- Bidirectional sync between S3 bucket and mounted filesystem
- Sub-millisecond latency on actively used data
Replace wildcard resource with specific S3 Files access point ARN
for least-privilege IAM.
@bfreiberg
Copy link
Copy Markdown
Contributor

Thanks for submitting this pattern! Here's what needs to be addressed:

  • Path Traversal Vulnerability in File Operationssrc/index.js line 11: User-controlled filename and directory inputs are not validated, allowing '../' sequences to access files outside intended paths. Add input validation to reject filenames/directories containing '..' sequences and restrict to alphanumeric characters, hyphens, and underscores.

  • First reference of service names must use the full name. Lambda should be AWS LambdaREADME.md line 1: "Lambda" is used but "AWS Lambda" never appears in the document Change the first reference to "AWS Lambda". Short name "Lambda" is fine after that.

  • First reference should be AWS IAMREADME.md line 11: "IAM" is used but "AWS IAM" never appears in the document Change the first reference to "AWS IAM". Short name "IAM" is fine after that.

Comment thread lambda-s3-files-cdk/README.md Outdated

## How it works

[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) (GA April 2026) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) (GA April 2026) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.
[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, removed "(GA April 2026)". Fixed in f963437.


// Lambda function with S3 Files mount
const fn = new lambda.Function(this, "S3FilesFn", {
runtime: lambda.Runtime.NODEJS_22_X,
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use the latest runtime version?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgraded to nodejs24.x via CDK escape hatch (L2 does not have NODEJS_24_X yet). Deployed and tested on a live stack — list, write, and read all pass. Fixed in f963437.

@@ -0,0 +1,61 @@
{
"title": "Lambda with Amazon S3 Files Mount",
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"title": "Lambda with Amazon S3 Files Mount",
"title": "AWS Lambda with Amazon S3 Files Mount",

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to "AWS Lambda with Amazon S3 Files Mount". Fixed in f963437.

"headline": "How it works",
"text": [
"This pattern deploys a Lambda function with an Amazon S3 Files file system mounted at /mnt/s3data. The function performs standard file operations (read, write, list) on S3 data using the local filesystem — no S3 API calls needed.",
"S3 Files (GA April 2026) provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"S3 Files (GA April 2026) provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",
"S3 Files provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied suggested description, removed "(GA April 2026)". Fixed in f963437.

- Remove (GA April 2026) from README and example-pattern.json
- Upgrade runtime to nodejs24.x via escape hatch
- Update title to 'AWS Lambda with Amazon S3 Files Mount'
- Use reviewer-suggested description text
@NithinChandranR-AWS
Copy link
Copy Markdown
Author

NithinChandranR-AWS commented Apr 24, 2026

Thanks for the quick review, @bfreiberg! All 4 comments addressed and pushed. Would appreciate another look when you get a chance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants