API tools faq
paste
Guest User

Untitled

a guest
Apr 19th, 2018
77
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.41 KB | None | 0 0
raw download clone embed print report
  1. """
  2. Lambda invocation to set security tags on Athena output; triggered by S3 Object
  3. events
  4. """
  5.  
  6. import logging
  7.  
  8. import boto3
  9.  
  10. LOGGER = logging.getLogger()
  11. LOGGER.setLevel(logging.INFO)
  12.  
  13. ATHENA = boto3.client('athena')
  14. S3CLIENT = boto3.client('s3')
  15.  
  16. DBNAME = 'restricteddb'
  17.  
  18. def check_query_context(query_id):
  19. """
  20. Check if query falls under the protected DB
  21. :param string query_id: Athena QueryExecutionId
  22. :return bool: True if protected DB
  23. """
  24.  
  25. LOGGER.info("Checking if %s is a protected data set query" % query_id)
  26.  
  27. try:
  28. query = ATHENA.get_query_execution(QueryExecutionId=query_id)
  29. except ATHENA.exceptions.InvalidRequestException:
  30. # Protect against invalid query Ids
  31. return False
  32.  
  33. if query['QueryExecution']['QueryExecutionContext']['Database'] == DBNAME:
  34. LOGGER.info("%s is a protected data set query" % query_id)
  35. return True
  36.  
  37. LOGGER.info("%s is not a protected data set query" % query_id)
  38. return False
  39.  
  40. def check_action(obj_name):
  41. """
  42. Check if action is required on event
  43. :param dict event: Lambda invocation event S3 PutObject
  44. :return bool: True if processing action is required
  45. """
  46.  
  47. # Exclude metadata files from processing
  48. if obj_name.endswith('.metadata'):
  49. LOGGER.info("%s is a metadata file" % obj_name)
  50. return False
  51.  
  52. query_id = obj_name.split('.')[0]
  53. query_id = query_id.split('/')[-1]
  54.  
  55. return check_query_context(query_id)
  56.  
  57. def set_obj_tags(bucket, obj_name):
  58. """
  59. Set object tags
  60. """
  61.  
  62. S3CLIENT.put_object_tagging(
  63. Bucket=bucket,
  64. Key=obj_name,
  65. Tagging={
  66. 'TagSet': [
  67. {
  68. 'Key': 'restricted_data',
  69. 'Value': 'True'
  70. }
  71. ]
  72. }
  73. )
  74.  
  75. def obj_handler(bucket, obj_name):
  76. """
  77. Generalized handling (allows loop over multiple objects from the PUT operation)
  78. """
  79.  
  80. action = check_action(obj_name)
  81.  
  82. if action is True:
  83. LOGGER.info('Setting tags for %s' % obj_name)
  84. set_obj_tags(bucket, obj_name)
  85. else:
  86. LOGGER.info('No action required for %s' % obj_name)
  87.  
  88. def lambda_handler(event, context):
  89. """
  90. Lambda invocation
  91. """
  92.  
  93. for record in event['Records']:
  94.  
  95. obj_name = record['s3']['object']['key']
  96. bucket = record['s3']['bucket']['name']
  97.  
  98. obj_handler(bucket, obj_name)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!