Configuring the Bucket Snake Lambda Function
Bucket Snake has a number of environment variables that it can be configured with. The table below outlines what they are and if they are required.
| Environment Variable | Default Value | Required | Environment-Variable Description | Example |
|---|---|---|---|---|
APP_REPORTS_BUCKETS |
None | YES | This is a comma-separated list of S3 bucket names which contain the historical S3 report JSON. This is a list to permit applications to use per-region buckets. | "historical-report-bucket-us-east-1,historical-report-bucket-us-west-2,historical-report-bucket-eu-west-1"(Replace with your buckets) |
SWAG_BUCKET |
None | YES | This is the S3 bucket that contains the SWAG data set. | "swag-data-set-bucket-here"(Replace with your bucket) |
SWAG_REGION |
None | YES | The region for where the SWAG bucket lives. | "us-east-1"(Replace with your SWAG bucket region) |
SWAG_DATA_FILE |
None | YES | The prefix to where the accounts JSON lives in the SWAG bucket. | "v2/accounts.json"(Replace with your prefix) |
REPORTS_BUCKET |
None | YES | The S3 bucket that contains the Historical S3 report JSON that Bucket Snake will use. This is just 1 bucket vs. a list for what is granted to the application. | "historical-report-bucket-us-east-1"(Replace with your bucket) |
REPORTS_REGION |
None | YES | The region of the S3 bucket that contains the historical report. | "us-east-1"(Replace with your Historical report bucket region) |
REPORTS_PREFIX |
"historical-s3-report.json" |
No | The region of the S3 bucket that contains the historical report. | See Default |
BLACKLISTED_SOURCE_ACCOUNTS |
None | No | A comma-separated list of AWS 12-digit account IDs for where source IAM roles are not permitted to use Bucket Snake for S3 access. Bucket Snake will not operate for source application IAM roles in these accounts. | "0123456678910,012345678911"(Replace with your account IDs) |
BLACKLISTED_BUCKET_ACCOUNTS |
None | No | A comma-separated list of AWS 12-digit account IDs for accounts that Bucket Snake should not grant S3 access. I.e. a bucket in an account that is protected, and Bucket Snake should not be granting access to. | "0123456678910,012345678911"(Replace with your account IDs) |
BUCKET_SNAKE_POLICY_NAME |
"BucketSnake" |
No | The IAM policy name on the IAM role that grants S3 access. | See Default |
STS_POLICY_NAME |
"BucketSnakeAssumeRole" |
No | The IAM policy name on the source IAM role that grants sts:AssumeRole permissions to the destination AWS account S3 roles. |
See Default |
DEST_ROLE_DESCRIPTION |
"Bucket Snake provisioned role" |
No | The description to the destination S3 IAM roles provisioned by Bucket Snake. | See Default |
BUCKET_SNAKE_ROLE |
"BucketSnake" |
No | The name of the IAM role that Bucket Snake needs to assume into to perform destination AWS account activities. | See Default |
BUCKET_SNAKE_SESSION_NAME |
"BucketSnake" |
No | The name of the STS session name that Bucket Snake will use when it assumes to the destination AWS account IAM roles. | See Default |
IAM_REGION |
"us-east-1" |
No | The AWS region for where IAM API commands are sent. | See Default |
These variables can be supplied in the serverless configuration.