# Lambda function not triggered by S3 event notification: 'AccessDenied' error in S3 bucket event configuration

- **ID:** `cloud/aws-lambda-s3-event-notification-missing`
- **Domain:** cloud
- **Category:** auth_error
- **Error Code:** `AccessDenied`
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The S3 bucket's event notification configuration does not have the correct permissions to invoke the Lambda function, typically because the Lambda resource-based policy is missing or the S3 service principal is not allowed.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS Lambda (runtime: Node.js 18, Python 3.11) | active | — | — |
| AWS S3 (standard tier) | active | — | — |
| AWS CLI 2.15.0 | active | — | — |

## Workarounds

1. **Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'** (95% success)
   ```
   Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
   ```
2. **Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.** (85% success)
   ```
   Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
   ```

## Dead Ends

- **** — S3 bucket policies control access to the bucket itself, not who can invoke the Lambda function. The permission must be on the Lambda function's resource-based policy. (90% fail)
- **** — Recreating the notification does not fix the underlying permission issue. The same error will occur if the Lambda policy is missing. (70% fail)