Got it, let's break down how to solve this without letting your critical data touch AWS S3 at all—even for a millisecond. Here's a practical, compliance-aligned approach:

第一步：打通Lambda与本地网络的安全连接 #

Lambda lives in AWS's cloud, so first you need to bridge it to your local network without exposing data to the public internet:

• Deploy Lambda in a VPC: Put your Lambda function in a private subnet of an AWS VPC. This prevents it from accessing the public internet by default.
• Set up Site-to-Site VPN or AWS Direct Connect: Connect your VPC to your local on-premises network using a managed IPsec-encrypted VPN or Direct Connect (a dedicated physical link). This creates a secure, private tunnel between AWS and your local server—no data touches the open web.
• Configure VPC routing: Ensure the route tables for your Lambda's subnet point to the VPN/Direct Connect gateway, so Lambda can resolve and reach your local file server's private IP.

第二步：替换S3的用户上传流程 #

Since users can't upload to S3 anymore, you need a direct path to your local server:

• Deploy a local upload service: Set up a web server (e.g., Nginx + Node.js/Flask) on your local network (or a DMZ if needed) that accepts file uploads from your GUI. This service should immediately save files to your local file server—no intermediate cloud storage.
• Trigger Lambda without S3: Instead of S3 events triggering Lambda, have your local upload service send a metadata-only trigger to Lambda:
  • Option 1: Use AWS EventBridge Custom Events. Your local service can call the EventBridge API via the VPN/Direct Connect tunnel to send a message with the file's path on your local server (no file data included).
  • Option 2: Use AWS SQS. Your local service adds a queue message with the file path, and Lambda is configured to poll this queue. Again, only metadata—no actual data in SQS.
  • Important: Ensure the trigger only contains pointers to the file, not any sensitive data itself.

第三步：让Lambda读写本地文件服务器 #

Once Lambda can reach your local network, it needs to interact with your file server. Choose a method that fits your server's setup:

• HTTP/HTTPS API (simplest): Build a lightweight REST API on your local file server that exposes endpoints to read, write, and delete files. Lambda can use standard HTTP clients (like Python's requests or Node.js's fetch) to call these endpoints over the encrypted VPN tunnel.
• SMB/NFS Protocol: If your server uses SMB or NFS, add the necessary tools to your Lambda deployment package (e.g., smbclient for SMB) to connect directly to the shared directory. Just make sure:
  • Lambda has the correct credentials (username/password, or AD-integrated roles) to access the share.
  • The protocol is encrypted (use SMB 3.0 or later for encryption in transit).
• SFTP: For secure file transfer, set up an SFTP server on your local network. Lambda can use SFTP libraries (like paramiko in Python) to connect and transfer files.

第四步：强化合规与审计 #

To satisfy your compliance team:

• Encrypt all data in transit: Use HTTPS for APIs, IPsec for VPN, encrypted SMB/NFS, or SFTP to ensure data never travels unencrypted.
• Log all activity: Enable CloudWatch Logs for Lambda to track when it accesses your local server, and keep detailed logs on your local file server for uploads, reads, and writes.
• Restrict permissions: Limit Lambda's IAM permissions to only what it needs (e.g., only allow it to call EventBridge/SQS, or access specific VPC resources). On your local server, restrict Lambda's access to specific directories/files using role-based access control.

替代方案：将处理逻辑移至本地（如果可行） #

如果你愿意放弃Lambda，完全可以在本地服务器上运行文件处理逻辑。这样就不需要将AWS服务连接到你的网络，可能会简化合规流程。但如果你需要保留Lambda的现有工作流，上面的方法完全适用。

内容的提问来源于stack exchange，提问作者user1141785