# Lambda 函数未由 S3 事件通知触发：S3 存储桶事件配置中出现 'AccessDenied' 错误

- **ID:** `cloud/aws-lambda-s3-event-notification-missing`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `AccessDenied`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

S3 存储桶的事件通知配置没有调用 Lambda 函数的正确权限，通常是因为缺少 Lambda 基于资源的策略或不允许 S3 服务主体。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS Lambda (runtime: Node.js 18, Python 3.11) | active | — | — |
| AWS S3 (standard tier) | active | — | — |
| AWS CLI 2.15.0 | active | — | — |

## 解决方案

1. ```
   Add a resource-based policy to the Lambda function using AWS CLI: 'aws lambda add-permission --function-name my-function --statement-id s3-invoke --principal s3.amazonaws.com --action lambda:InvokeFunction --source-arn arn:aws:s3:::my-bucket --source-account 123456789012'
   ```
2. ```
   Use AWS CloudTrail to check the exact AccessDenied error: 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketNotificationConfiguration --region us-east-1' to see if the error is from S3 or Lambda.
   ```

## 无效尝试

- **** — S3 bucket policies control access to the bucket itself, not who can invoke the Lambda function. The permission must be on the Lambda function's resource-based policy. (90% 失败率)
- **** — Recreating the notification does not fix the underlying permission issue. The same error will occur if the Lambda policy is missing. (70% 失败率)