New serverless pattern - lambda-s3-files-cdk by NithinChandranR-AWS · Pull Request #3075 · aws-samples/serverless-patterns

NithinChandranR-AWS · 2026-04-23T17:59:03Z

New Serverless Pattern: Lambda with Amazon S3 Files Mount

Description

Deploys a Lambda function with an Amazon S3 Files file system mounted at /mnt/s3data, enabling standard file operations (read, write, list) on S3 data without downloading objects. Uses Amazon S3 Files (GA April 2026).

Architecture

┌──────────┐     ┌──────────────────────────┐
│ S3 Bucket│◄───►│  S3 Files FileSystem     │
└──────────┘     └────────────┬─────────────┘
                              │ NFS (port 2049)
                 ┌────────────┴─────────────┐
                 │           VPC            │
                 │  Mount Target (AZ-1)     │
                 │  Mount Target (AZ-2)     │
                 │       ▲                  │
                 │  Lambda /mnt/s3data      │
                 └──────────────────────────┘

Key Features

S3 Files FileSystem + MountTargets + AccessPoint (L1 constructs — no L2 yet)
VPC with 2 AZs, security group for NFS traffic (port 2049)
Lambda reads/writes/lists files via standard Node.js fs module
Bidirectional sync between S3 bucket and mounted filesystem
Sub-millisecond latency on actively used data
POSIX user identity (UID/GID 1000) via AccessPoint

Framework / Language

AWS CDK (TypeScript)
Lambda: Node.js 22.x

Deployment & Testing

Deployed and tested successfully on AWS
Write ✅ Read ✅ List ✅ S3 Sync ✅ (all verified)

Files

File	Purpose
`lib/lambda-s3-files-stack.ts`	CDK stack (VPC, S3 Files, Lambda)
`src/index.js`	Lambda handler (read/write/list)
`example-pattern.json`	Serverless Land metadata

Deploy a Lambda function with an Amazon S3 Files file system mounted as a local directory, enabling standard file operations on S3 data without downloading objects. Key features: - S3 Files FileSystem with NFS mount on Lambda at /mnt/s3data - VPC with 2 AZs, mount targets, and access point (L1 constructs) - Security group for NFS traffic (port 2049) - Read, write, and list operations via standard fs module - Bidirectional sync between S3 bucket and mounted filesystem - Sub-millisecond latency on actively used data

Replace wildcard resource with specific S3 Files access point ARN for least-privilege IAM.

bfreiberg · 2026-04-24T06:22:52Z

Thanks for submitting this pattern! Here's what needs to be addressed:

Path Traversal Vulnerability in File Operations — src/index.js line 11: User-controlled filename and directory inputs are not validated, allowing '../' sequences to access files outside intended paths. Add input validation to reject filenames/directories containing '..' sequences and restrict to alphanumeric characters, hyphens, and underscores.
First reference of service names must use the full name. Lambda should be AWS Lambda — README.md line 1: "Lambda" is used but "AWS Lambda" never appears in the document Change the first reference to "AWS Lambda". Short name "Lambda" is fine after that.
First reference should be AWS IAM — README.md line 11: "IAM" is used but "AWS IAM" never appears in the document Change the first reference to "AWS IAM". Short name "IAM" is fine after that.

bfreiberg · 2026-04-24T06:23:08Z

+
+## How it works
+
+[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) (GA April 2026) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.


Suggested change

[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) (GA April 2026) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.

[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.

Done, removed "(GA April 2026)". Fixed in f963437.

bfreiberg · 2026-04-24T06:24:23Z

+
+    // Lambda function with S3 Files mount
+    const fn = new lambda.Function(this, "S3FilesFn", {
+      runtime: lambda.Runtime.NODEJS_22_X,


Why not use the latest runtime version?

Upgraded to nodejs24.x via CDK escape hatch (L2 does not have NODEJS_24_X yet). Deployed and tested on a live stack — list, write, and read all pass. Fixed in f963437.

bfreiberg · 2026-04-24T06:24:58Z

@@ -0,0 +1,61 @@
+{
+  "title": "Lambda with Amazon S3 Files Mount",


Suggested change

"title": "Lambda with Amazon S3 Files Mount",

"title": "AWS Lambda with Amazon S3 Files Mount",

Updated to "AWS Lambda with Amazon S3 Files Mount". Fixed in f963437.

bfreiberg · 2026-04-24T06:25:19Z

+    "headline": "How it works",
+    "text": [
+      "This pattern deploys a Lambda function with an Amazon S3 Files file system mounted at /mnt/s3data. The function performs standard file operations (read, write, list) on S3 data using the local filesystem — no S3 API calls needed.",
+      "S3 Files (GA April 2026) provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",


Suggested change

"S3 Files (GA April 2026) provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",

"S3 Files provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",

Applied suggested description, removed "(GA April 2026)". Fixed in f963437.

- Remove (GA April 2026) from README and example-pattern.json - Upgrade runtime to nodejs24.x via escape hatch - Update title to 'AWS Lambda with Amazon S3 Files Mount' - Use reviewer-suggested description text

NithinChandranR-AWS · 2026-04-24T11:12:34Z

Thanks for the quick review, @bfreiberg! All 4 comments addressed and pushed. Would appreciate another look when you get a chance

bfreiberg · 2026-04-27T11:42:01Z

+    "aws-cdk-lib": "2.180.0",
+    "constructs": "10.4.2"


Could you please update these to the latest version. Please also use ^ to make them compatible with future releases

Updated to aws-cdk-lib ^2.251.0 and constructs ^10.6.0. Fixed in 81c938c.

bfreiberg · 2026-04-27T11:43:01Z

+
+    // Attach S3 Files filesystem config via escape hatch
+    const cfnFn = fn.node.defaultChild as lambda.CfnFunction;
+    cfnFn.addOverride("Properties.Runtime", "nodejs24.x");


the latest cdk version include NODEJS_24_X as a lambda.Runtime value

Switched to lambda.Runtime.NODEJS_24_X — no more escape hatch. Fixed in 81c938c.

bfreiberg · 2026-04-27T11:44:47Z

+    // Attach S3 Files filesystem config via escape hatch
+    const cfnFn = fn.node.defaultChild as lambda.CfnFunction;
+    cfnFn.addOverride("Properties.Runtime", "nodejs24.x");
+    cfnFn.fileSystemConfigs = [


cdk 2.521.0 and higher support S3 Files directly: https://docs.aws.amazon.com/cdk/api/v2/java/software/amazon/awscdk/services/lambda/FileSystem.html

Refactored to use typed s3files.CfnFileSystem/CfnMountTarget/CfnAccessPoint constructs and lambda.FileSystem.fromS3FilesAccessPoint(). Deployed and tested — write, read, list all pass. Fixed in 81c938c.

- Update aws-cdk-lib to ^2.251.0 and constructs to ^10.6.0 - Replace generic CfnResource with s3files.CfnFileSystem/CfnMountTarget/CfnAccessPoint - Use lambda.Runtime.NODEJS_24_X instead of escape hatch - Use lambda.FileSystem.fromS3FilesAccessPoint instead of manual fileSystemConfigs

…ame references - Add safePath() to validate filenames/directories against traversal attacks - Use 'AWS Lambda' and 'AWS IAM' for first references in README

NithinChandranR-AWS · 2026-04-27T12:08:53Z

All 3 items from the initial review addressed in e4464d7:

Path traversal — Added safePath() validation using path.resolve() to reject .. sequences. Tested: ../../etc/passwd correctly blocked for write, read, and list.
AWS Lambda — First reference updated to "AWS Lambda" in README title and description.
AWS IAM — First reference updated to "AWS IAM" in README.

Deployed and tested on a live stack — normal operations pass, traversal attempts are blocked.

bfreiberg

Looks good, thanks for your contribution. Your pattern will be merged to Serverlessland soon

julianwood assigned bfreiberg and julianwood Apr 23, 2026

fix(iam): scope s3files permissions to access point ARN

9706c34

Replace wildcard resource with specific S3 Files access point ARN for least-privilege IAM.

bfreiberg requested changes Apr 24, 2026

View reviewed changes

bfreiberg reviewed Apr 24, 2026

View reviewed changes

fix(lambda-s3-files-cdk): Address review comments

f963437

- Remove (GA April 2026) from README and example-pattern.json - Upgrade runtime to nodejs24.x via escape hatch - Update title to 'AWS Lambda with Amazon S3 Files Mount' - Use reviewer-suggested description text

NithinChandranR-AWS requested a review from bfreiberg April 24, 2026 08:01

bfreiberg requested changes Apr 27, 2026

View reviewed changes

NithinChandranR-AWS added 2 commits April 27, 2026 11:51

fix(lambda-s3-files): add path traversal validation and fix service n…

e4464d7

…ame references - Add safePath() to validate filenames/directories against traversal attacks - Use 'AWS Lambda' and 'AWS IAM' for first references in README

NithinChandranR-AWS requested a review from bfreiberg April 27, 2026 12:10

Add final pattern file

fb20a87

bfreiberg approved these changes Apr 27, 2026

View reviewed changes

bfreiberg added the Patterns Guardian approved label Apr 27, 2026


		## How it works

		[Amazon S3 Files](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-files.html) (GA April 2026) provides NFS access to S3 buckets with full POSIX semantics. This pattern mounts an S3 bucket on a Lambda function at `/mnt/s3data`.

		@@ -0,0 +1,61 @@
		{
		"title": "Lambda with Amazon S3 Files Mount",

	"title": "Lambda with Amazon S3 Files Mount",
	"title": "AWS Lambda with Amazon S3 Files Mount",

	"S3 Files (GA April 2026) provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",
	"S3 Files provides NFS access to S3 buckets with sub-millisecond latency on small files and full POSIX semantics. The pattern creates a VPC, S3 Files file system, mount targets, access point, and a Lambda function wired together.",

Conversation

NithinChandranR-AWS commented Apr 23, 2026

New Serverless Pattern: Lambda with Amazon S3 Files Mount

Description

Architecture

Key Features

Framework / Language

Deployment & Testing

Files

Uh oh!

bfreiberg commented Apr 24, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

NithinChandranR-AWS commented Apr 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

NithinChandranR-AWS commented Apr 27, 2026

Uh oh!

bfreiberg left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

NithinChandranR-AWS commented Apr 24, 2026 •

edited

Loading