hands-on lab

Building a Serverless Versioning Solution for Amazon S3 Bucket Policies

Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

Amazon S3 bucket policies are used to secure access to objects within an S3 bucket. These bucket policies are put in place to only allow bucket access to users with appropriate permissions. As a project or team grows, these policies may require updates to the permissions, which means updating the S3 bucket policy.

Versioning allows teams to maintain a history of changes made to S3 bucket policies, with the added benefit of being able to restore previous policy versions if the need arises.

In this lab, you will create a backup and restore solution for Amazon S3 bucket policies. You will build a serverless architecture that utilizes Amazon EventBridge, Amazon DynamoDB, and AWS Lambda to register and restore S3 bucket policies whenever a new version is created.

Learning objectives

Upon completion of this beginner-level lab, you will be able to:

  • Create an Amazon EventBridge rule to target an Amazon S3 management event
  • Define an AWS Lambda function that registers S3 bucket policies in DynamoDB
  • Define an AWS Lambda function that restores S3 bucket policy versions from DynamoDB

Intended audiences

  • Candidates for AWS Certified Developer - Associate Certification
  • Cloud Architects
  • Software Engineers


Familiarity with the following will be beneficial but is not required:

  • Amazon EventBridge
  • Amazon Simple Storage Service (S3)
  • AWS Lambda
  • Amazon DynamoDB

The following content can be used to fulfill the prerequisites:



April 5th, 2024 - Updated the instructions and screenshots to reflect the latest UI

December 7th, 2023 - Updated DynamoDB configuration


Environment before
Environment after
About the author
Jun Fritz, opens in a new tab
Cloud Labs Developer
Learning paths

Jun is a Cloud Labs Developer with previous experience as a Software Engineer and Cloud Developer. He holds the AWS Certified Solutions Architect and DevOps Engineer Professional certifications. He also holds the AWS Certified Solutions Architect, Developer, and SysOps Administrator Associate certifications. 

Jun is focused on giving back to the growing cloud community by sharing his knowledge and experience with students and creating engaging content. 

Covered topics
Lab steps
Logging In to the Amazon Web Services Console
Targeting an S3 event using an Amazon EventBridge rule
Registering bucket policies with AWS Lambda
Triggering a Lambda function with an S3 event
Restoring bucket policies with AWS Lambda