cloudonaut
Home Blog Podcast YouTube Games Books Logout
Subscribe Logout

How to filter S3 events by object size

Andreas Wittig – 22 Feb 2023

While answering a support request for bucketAV, I stumbled upon the following question:

Is there a way to only scan S3 objects with a size of less than 1 GB for malware?

This translates to the more general question:

How to filter S3 events by object size?

Filtering S3 events by object size is helpful in the following scenarios:

  • How to get notified via email when someone uploads a large file to S3?
  • How to ensure only files smaller than 100 MB are processed by Lambda to avoid timeouts?
  • How to trigger an ECS task after an archive with more than 1 GB has been uploaded to S3?

Luckily, there are simple ways to filter S3 events by object size.

How to filter S3 events by object size

S3 Event Notifications vs. EventBridge

Nowadays, there are two options to react to new or modified S3 objects:

  • S3 Event Notifications has been around for years and allows us to send events to SNS, SQS, and Lambda.
  • EventBridge, the serverless event bus, is the state-of-the-art approach for building event-driven systems on AWS.

Both options allow you to filter events based on the S3 object size.

Filtering S3 Event Notifications by object size

Assuming you configured S3 Event Notifications to deliver events to an SNS topic. The following filter policy only delivers events about an object with an object size of less than 1000000000 bytes (1 GB) to the subscriber.

{
  "Records": {
    "s3": {
      "object": {
        "size": [{"numeric": ["<", 1000000000]}]
      }
    }
  }
}

First, create an SNS topic.

Second, configure S3 Event Notifications, as illustrated in the following screenshots.

Configure S3 Event Notifications: 01

Configure S3 Event Notifications: 01

Third, create a subscription for the SNS topic.

Create SNS subscription

Apply the subscription filter as shown in the following screenshot. Make sure to select the policy scope MessageBody.

Apply subscription filter

Filtering EventBridge events by S3 object size

After enabling EventBridge events, the following event pattern matches events about new or modified objects with a size of less than 1000000000 bytes (1 GB).

{
  "source": ["aws.s3"],
  "detail-type": ["Object Created"],
  "detail": {
    "object": {
      "size": [{
        "numeric": ["<", 1000000000]
      }]
    }
  }
}

First, enable EventBridge events for the S3 bucket, as illustrated in the following screenshot.

Enable S3 EventBridge events

Second, create an EventBridge rule, as shown in the following screenshot.

Create an EventBridge rule

Third, copy and paste the event pattern as demonstrated in the following screenshot.

Configure event pattern

Fourth, create the EventBridge rule.

Summary

Both S3 Event Notifications and EventBridge events allow you to filter events about new or modified S3 events by object size.

Andreas Wittig

Andreas Wittig

I’ve been building on AWS since 2012 together with my brother Michael. We are sharing our insights into all things AWS on cloudonaut and have written the book AWS in Action. Besides that, we’re currently working on bucketAV,HyperEnv for GitHub Actions, and marbot.

Here are the contact options for feedback and questions.

Further reading