Introduction

S3 event notifications are simple only when the bucket, Lambda function, and filter rules all stay aligned. In real systems, the trigger often stops after a Lambda replacement, a prefix filter change, or a missing resource policy update. The upload succeeds, but no invocation ever reaches the function.

Symptoms

  • Objects upload successfully, but the target Lambda function never runs
  • The bucket shows a Lambda notification configuration, yet CloudWatch logs stay empty
  • Only some object keys trigger the function while others are silently ignored
  • A newly recreated Lambda function stopped receiving events from the same bucket

Common Causes

  • The Lambda resource policy does not allow s3.amazonaws.com to invoke the function
  • The bucket notification still points to an old Lambda ARN after function replacement
  • Prefix or suffix filters do not match the object key that was uploaded
  • Another notification configuration change overwrote the expected Lambda target

Step-by-Step Fix

  1. 1.Inspect the live S3 notification configuration
  2. 2.Confirm the exact event types, Lambda ARN, and filter rules on the bucket instead of assuming the console still reflects the last deployment.
bash
aws s3api get-bucket-notification-configuration \
  --bucket my-bucket
  1. 1.Verify the Lambda resource policy allows S3 invocation
  2. 2.The function must trust the bucket as an invoke source. This is the most common reason the notification exists but no invocation is delivered.
bash
aws lambda get-policy --function-name my-function
  1. 1.Add or repair the Lambda invoke permission
  2. 2.Use the current function name or ARN and the exact source bucket. If the function was replaced, the old policy statement may no longer be attached to the active function.
bash
aws lambda add-permission \
  --function-name my-function \
  --statement-id s3invoke \
  --action lambda:InvokeFunction \
  --principal s3.amazonaws.com \
  --source-arn arn:aws:s3:::my-bucket \
  --source-account 123456789012
  1. 1.Retest with an object key that matches the configured filter
  2. 2.If the notification uses prefix or suffix, a test upload outside that pattern proves nothing.
bash
aws s3 cp test.jpg s3://my-bucket/uploads/test.jpg

Prevention

  • Manage S3 notifications and Lambda permissions in the same infrastructure deployment
  • Reapply bucket notifications whenever a Lambda function ARN changes
  • Keep prefix and suffix filters narrow but well-documented
  • Add monitoring for both S3 object counts and downstream Lambda invocations so silent trigger failures surface quickly