An educational demo showcasing S3 Lambda Object Access Points for dynamic data redaction based on user clearance levels.
A spy agency stores classified intelligence reports in S3. When agents access reports through the Object Lambda Access Point, sensitive information is automatically redacted based on their security clearance level:
- PUBLIC: Heavy redaction (names, locations, dates, operations)
- CONFIDENTIAL: Moderate redaction (agent names, specific locations)
- TOP_SECRET: Minimal redaction (only the most sensitive operational details)
Agent Request → S3 Object Lambda Access Point → Lambda Function → Redacted Report
↓
S3 Access Point → S3 Bucket (Original Reports)
template.yaml- SAM template defining infrastructuresrc/index.js- Lambda function for data redactionmock-data/mission-report-001.json- Sample classified reportdeploy.sh/deploy.ps1- Deployment and testing scripts (Bash/PowerShell)samconfig.toml.template- AWS SAM deployment configuration template
Linux/Mac:
chmod +x deploy.sh
./deploy.sh
./deploy.sh --region your-aws-region
./deploy.sh --profile your-aws-profile
./deploy.sh --region your-aws-region --profile your-aws-profileWindows:
.\deploy.ps1
.\deploy.ps1 -Region your-aws-region
.\deploy.ps1 -Profile your-aws-profile
.\deploy.ps1 -Region your-aws-region -Profile your-aws-profileLinux/Mac:
# Get bucket and OLAP ARNs from stack outputs
STACK_NAME="secret-agent-data-redactor" # or your custom stack name
BUCKET_NAME=$(aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='BucketName'].OutputValue" --output text)
OLAP_ARN=$(aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='ObjectLambdaAccessPointArn'].OutputValue" --output text)
# Upload test data first
aws s3 cp mock-data/mission-report-001.json s3://$BUCKET_NAME/
# Test different clearance levels
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json" /tmp/default-public-report.json
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=PUBLIC" /tmp/public-report.json
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=CONFIDENTIAL" /tmp/confidential-report.json
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=TOP_SECRET" /tmp/top-secret-report.jsonWindows PowerShell:
# Get bucket and OLAP ARNs from stack outputs
$STACK_NAME = "secret-agent-data-redactor" # or your custom stack name
$BUCKET_NAME = aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='BucketName'].OutputValue" --output text
$OLAP_ARN = aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='ObjectLambdaAccessPointArn'].OutputValue" --output text
# Upload test data first
aws s3 cp mock-data/mission-report-001.json s3://$BUCKET_NAME/
# Test different clearance levels
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json" "$env:TEMP\default-public-report.json"
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=PUBLIC" "$env:TEMP\public-report.json"
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=CONFIDENTIAL" "$env:TEMP\confidential-report.json"
aws s3api get-object --bucket $OLAP_ARN --key "mission-report-001.json?clearance=TOP_SECRET" "$env:TEMP\top-secret-report.json"- Dynamic Data Transformation: Same data, different views based on user context
- Security by Design: Sensitive data never leaves AWS in unredacted form
- Transparent Integration: Applications use standard S3 APIs
- Centralized Policy: Redaction logic managed in one place
First empty the created S3 bucket, then run:
sam delete --stack-name secret-agent-data-redactor # or your custom stack name
sam delete --region your-aws-region --stack-name secret-agent-data-redactor # or your custom stack name
sam delete --profile your-aws-profile --stack-name secret-agent-data-redactor # or your custom stack name
sam delete --region your-aws-region --profile your-aws-profile --stack-name secret-agent-data-redactor # or your custom stack name