Sign In

Access your saved progress

or

Intermediate 25 min

Security, Cost, and Cleanup

Let’s cover important topics: keeping your system secure, understanding costs, and cleaning up when you’re done.

Security Best Practices

Principle of Least Privilege

Your function should only have permissions it actually needs:

Function should be able to:

  • ✅ Read object metadata from storage
  • ✅ Write logs
  • ✅ Call email service API

Function should NOT be able to:

  • ❌ Delete files from storage
  • ❌ Access other buckets
  • ❌ Modify other functions
  • ❌ Access databases (unless needed)

IAM Configuration

Configure minimal permissions:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ],
    "Resource": "arn:aws:logs:*:*:*"
  },
  {
    "Effect": "Allow",
    "Action": [
      "s3:GetObject"
    ],
    "Resource": "arn:aws:s3:::my-notifications-bucket-2025/*"
  }
]
}

Secure Environment Variables

Never commit secrets to code:

  • ❌ Don’t put API keys in source code
  • ❌ Don’t commit .env files
  • ❌ Don’t hardcode credentials

Always use environment variables:

  • ✅ Set in function configuration
  • ✅ Use secret management services
  • ✅ Rotate keys regularly

Email Security

Verify sender email:

  • Verify domain or email in email service
  • Prevents spoofing
  • Required by most services

Rate limiting:

  • Set reasonable limits
  • Prevent abuse
  • Monitor usage

Understanding Costs

Here’s what you’ll pay for:

Storage Costs

Per GB per month:

  • AWS S3: ~$0.023/GB (first 50TB)
  • Azure Blob: ~$0.018/GB (hot tier)
  • GCP Storage: ~$0.020/GB (standard)

Example: 10 GB stored = ~$0.20/month

Function Costs

Per invocation:

  • AWS Lambda: First 1M requests free, then $0.20 per 1M
  • Azure Functions: First 1M requests free, then $0.20 per 1M
  • GCP Functions: First 2M requests free, then $0.40 per 1M

Per execution time:

  • AWS: $0.0000166667 per GB-second
  • Azure: $0.000016 per GB-second
  • GCP: $0.0000025 per GB-second

Example: 1,000 invocations/month, 500ms each, 128MB memory

  • Cost: ~$0.00 (within free tier)

Email Costs

SendGrid:

  • Free tier: 100 emails/day
  • Paid: $19.95/month for 50,000 emails

Mailgun:

  • Free tier: 5,000 emails/month
  • Paid: $35/month for 50,000 emails

AWS SES:

  • $0.10 per 1,000 emails
  • First 62,000 emails free (if on EC2)

Example: 1,000 emails/month

  • SendGrid: Free (within free tier)
  • Mailgun: Free (within free tier)
  • AWS SES: ~$0.10

Total Cost Estimate

For light usage (100 files/month, 1GB storage):

  • Storage: ~$0.02/month
  • Functions: $0.00 (free tier)
  • Email: $0.00 (free tier)
  • Total: ~$0.02/month

For moderate usage (1,000 files/month, 10GB storage):

  • Storage: ~$0.20/month
  • Functions: ~$0.00-0.01/month
  • Email: $0.00-0.10/month
  • Total: ~$0.20-0.30/month

Cleanup Checklist

When you’re done testing, clean up resources:

Storage:

  • Delete test files from bucket
  • Delete bucket (or keep if needed)

Function:

  • Delete serverless function
  • Remove function logs (optional)

Triggers:

  • Remove event trigger configuration
  • Remove IAM permissions (if created separately)

Email Service:

  • Remove API keys (if created only for testing)
  • Unverify sender email (optional)

Other:

  • Remove IAM roles/policies created for function
  • Delete CloudWatch log groups (AWS)
  • Remove Application Insights (Azure)
  • Delete Cloud Logging (GCP)

Cleanup Commands

# Delete all files in bucket
aws s3 rm s3://my-notifications-bucket-2025/ --recursive

# Delete bucket
aws s3 rb s3://my-notifications-bucket-2025

# Delete Lambda function
aws lambda delete-function --function-name notify-on-upload

# Delete log group
aws logs delete-log-group --log-group-name /aws/lambda/notify-on-upload

# Remove S3 trigger (done automatically when function deleted)

Knowledge Check

Wrap-up and Next Steps

What You Learned

You’ve built a complete event-driven notification system:

Event-driven architecture - How events flow through cloud systems

Serverless functions - Code that runs automatically without server management

Storage integration - How object storage emits events

Trigger configuration - Connecting events to functions

Email notifications - Sending alerts automatically

Testing and debugging - Finding and fixing issues

Security and costs - Best practices and cost awareness

Real-World Applications

This pattern appears in many systems:

Document Management

  • Notify team when contracts are uploaded
  • Alert when reports are ready

Data Pipelines

  • Trigger processing when data arrives
  • Send alerts when pipelines complete

Content Processing

  • Notify when media is uploaded
  • Alert when processing finishes

Compliance

  • Log all file uploads
  • Alert on sensitive documents

Extensions and Next Steps

Filter by file type:

  • Only notify for PDFs
  • Different handling for images vs documents

Store metadata in database:

  • Track all uploads
  • Query upload history
  • Generate reports

Trigger other workflows:

  • Image resizing
  • Virus scanning
  • Content analysis
  • Archive to cold storage

Multi-recipient notifications:

  • Send to team distribution list
  • Different emails for different file types
  • Escalation for large files

Error handling:

  • Retry failed emails
  • Dead letter queue for failures
  • Alert on repeated failures

Additional Resources

Documentation:

Related Tutorials:

  • Building serverless APIs
  • Event-driven data processing
  • Cloud storage best practices

Community:

  • Cloud provider forums
  • Serverless framework community
  • Stack Overflow

Congratulations! 🎉

You’ve built a working event-driven notification system. You understand how cloud services work together, how to write serverless functions, and how to integrate external services.

Keep experimenting, keep building, and keep learning!

Progress 100%
Page 8 of 8
Previous Next