Control which events Lambda sends to your function
You can use event filtering to control which records from a stream or queue Lambda sends to your function. For example, you can add a filter so that your function only processes Amazon SQS messages containing certain data parameters. Event filtering works only with certain event source mappings. You can add filters to event source mappings for the following AWS services:
Amazon DynamoDB
Amazon Kinesis Data Streams
Amazon MQ
Amazon Managed Streaming for Apache Kafka (Amazon MSK)
Self-managed Apache Kafka
Amazon Simple Queue Service (Amazon SQS)
For specific information about filtering with specific event sources, seeUsing filters with different AWS services. Lambda doesn't support event filtering for Amazon DocumentDB.
By default, you can define up to five different filters for a single event source mapping. Your filters are logically ORed together. If a record from your event source satisfies one or more of your filters, Lambda includes the record in the next event it sends to your function. If none of your filters are satisfied, Lambda discards the record.
If you need to define more than five filters for an event source, you can request a quota increase for up to 10 filters for each event source. If you attempt to add more filters than your current quota permits, Lambda will return an error when you try to create the event source.
Topics
Understanding event filtering basics
A filter criteria (FilterCriteria) object is a structure that consists of a list of filters (Filters). Each filter is a structure that defines an event filtering pattern (Pattern). A pattern is a string representation of a JSON filter rule. The structure of aFilterCriteria object is as follows.
{ "Filters": [{ "Pattern": "{ \"Metadata1\": [ rule1 ], \"data\":{ \"Data1\": [ rule2 ] }}" } ]}For added clarity, here is the value of the filter'sPattern expanded in plain JSON.
{ "Metadata1": [ rule1 ], "data":{ "Data1": [ rule2 ] }}Your filter pattern can include metadata properties, data properties, or both. The available metadata parameters and the format of the data parameters vary according to the AWS service which is acting as the event source. For example, suppose your event source mapping receives the following record from an Amazon SQS queue:
{ "messageId": "059f36b4-87a3-44ab-83d2-661975830a7d", "receiptHandle": "AQEBwJnKyrHigUMZj6rYigCgxlaS3SLy0a...", "body": "{\\n \"City\": \"Seattle\",\\n \"State\": \"WA\",\\n \"Temperature\": \"46\"\\n}", "attributes":{ "ApproximateReceiveCount": "1", "SentTimestamp": "1545082649183", "SenderId": "AIDAIENQZJOLO23YVJ4VO", "ApproximateFirstReceiveTimestamp": "1545082649185" }, "messageAttributes":{}, "md5OfBody": "e4e68fb7bd0e697a0ae8f1bb342846b3", "eventSource": "aws:sqs", "eventSourceARN": "arn:aws:sqs:us-east-2:123456789012:my-queue", "awsRegion": "us-east-2"}Metadata properties are the fields containing information about the event that created the record. In the example Amazon SQS record, the metadata properties include fields such as
messageID,eventSourceArn, andawsRegion.Data properties are the fields of the record containing the data from your stream or queue. In the Amazon SQS event example, the key for the data field is
body, and the data properties are the fieldsCityState, andTemperature.
Different types of event source use different key values for their data fields. To filter on data properties, make sure that you use the correct key in your filter’s pattern. For a list of data filtering keys, and to see examples of filter patterns for each supported AWS service, refer toUsing filters with different AWS services.
Event filtering can handle multi-level JSON filtering. For example, consider the following fragment of a record from a DynamoDB stream:
"dynamodb":{ "Keys":{ "ID":{ "S": "ABCD" } "Number":{ "N": "1234" }, ...}Suppose you want to process only those records where the value of the sort keyNumber is 4567. In this case, yourFilterCriteria object would look like this:
{ "Filters": [{ "Pattern": "{ \"dynamodb\":{ \"Keys\":{ \"Number\":{ \"N\": [ "4567" ] } } } }" } ]}For added clarity, here is the value of the filter'sPattern expanded in plain JSON.
{ "dynamodb":{ "Keys":{ "Number":{ "N": [ "4567" ] } } }}Handling records that don't meet filter criteria
How Lambda handles records that don't meet your filter criteria depends on the event source.
ForAmazon SQS, if a message doesn't satisfy your filter criteria, Lambda automatically removes the message from the queue. You don't have to manually delete these messages in Amazon SQS.
ForKinesis andDynamoDB, after your filter criteria evaluates a record, the streams iterator advances past this record. If the record doesn't satisfy your filter criteria, you don't have to manually delete the record from your event source. After the retention period, Kinesis and DynamoDB automatically delete these old records. If you want records to be deleted sooner, seeChanging the Data Retention Period.
ForAmazon MSK,self-managed Apache Kafka, andAmazon MQ messages, Lambda drops messages that don't match all fields included in the filter. For Amazon MSK and self-managed Apache Kafka, Lambda commits offsets for matched and unmatched messages after successfully invoking the function. For Amazon MQ, Lambda acknowledges matched messages after successfully invoking the function, and acknowledges unmatched messages when filtering them.
Filter rule syntax
For filter rules, Lambda supports the Amazon EventBridge rules and uses the same syntax as EventBridge. For more information, see Amazon EventBridge event patterns in theAmazon EventBridge User Guide.
The following is a summary of all the comparison operators available for Lambda event filtering.
| Comparison operator | Example | Rule syntax |
|---|---|---|
Null | UserID is null | "UserID": [ null ] |
Empty | LastName is empty | "LastName": [""] |
Equals | Name is "Alice" | "Name": [ "Alice" ] |
Equals (ignore case) | Name is "Alice" | "Name": [{ "equals-ignore-case": "alice" } ] |
And | Location is "New York" and Day is "Monday" | "Location": [ "New York" ], "Day": ["Monday"] |
Or | PaymentType is "Credit" or "Debit" | "PaymentType": [ "Credit", "Debit"] |
Or (multiple fields) | Location is "New York", or Day is "Monday". | "$or": [{ "Location": [ "New York" ] },{ "Day": [ "Monday" ] } ] |
Not | Weather is anything but "Raining" | "Weather": [{ "anything-but": [ "Raining" ] } ] |
Numeric (equals) | Price is 100 | "Price": [{ "numeric": [ "=", 100 ] } ] |
Numeric (range) | Price is more than 10, and less than or equal to 20 | "Price": [{ "numeric": [ ">", 10, "<=", 20 ] } ] |
Exists | ProductName exists | "ProductName": [{ "exists": true } ] |
Does not exist | ProductName does not exist | "ProductName": [{ "exists": false } ] |
Begins with | Region is in the US | "Region": [{"prefix": "us-" } ] |
Ends with | FileName ends with a .png extension. | "FileName": [{ "suffix": ".png" } ] |
Like EventBridge, for strings, Lambda uses exact character-by-character matching without case-folding or any other string normalization. For numbers, Lambda also uses string representation. For example, 300, 300.0, and 3.0e2 are not considered equal.
Note that the Exists operator only works on leaf nodes in your event source JSON. It doesn't match intermediate nodes. For example, with the following JSON, the filter pattern{ "person":{ "address": [{ "exists": true } ] } }" wouldn't find a match because"address" is an intermediate node.
{ "person":{ "name": "John Doe", "age": 30, "address":{ "street": "123 Main St", "city": "Anytown", "country": "USA" } }}Attaching filter criteria to an event source mapping (console)
Follow these steps to create a new event source mapping with filter criteria using the Lambda console.
To create a new event source mapping with filter criteria (console)
Open theFunctions page of the Lambda console.
Choose the name of a function to create an event source mapping for.
UnderFunction overview, chooseAdd trigger.
ForTrigger configuration, choose a trigger type that supports event filtering. For a list of supported services, refer to the list at the beginning of this page.
ExpandAdditional settings.
UnderFilter criteria, chooseAdd, and then define and enter your filters. For example, you can enter the following.
{ "Metadata" : [ 1, 2 ] }This instructs Lambda to process only the records where field
Metadatais equal to 1 or 2. You can continue to selectAdd to add more filters up to the maximum allowed amount.When you have finished adding your filters, chooseSave.
When you enter filter criteria using the console, you enter only the filter pattern and don't need to provide thePattern key or escape quotes. In step 6 of the preceding instructions,{ "Metadata" : [ 1, 2 ] } corresponds to the followingFilterCriteria.
{ "Filters": [{ "Pattern": "{ \"Metadata\" : [ 1, 2 ] }" } ]}After creating your event source mapping in the console, you can see the formattedFilterCriteria in the trigger details. For more examples of creating event filters using the console, seeUsing filters with different AWS services.
Attaching filter criteria to an event source mapping (AWS CLI)
Suppose you want an event source mapping to have the followingFilterCriteria:
{ "Filters": [{ "Pattern": "{ \"Metadata\" : [ 1, 2 ] }" } ]}To create a new event source mapping with these filter criteria using the AWS Command Line Interface (AWS CLI), run the following command.
aws lambda create-event-source-mapping \ --function-namemy-function \ --event-source-arnarn:aws:sqs:us-east-2:123456789012:my-queue \ --filter-criteria '{"Filters": [{"Pattern": "{ \"Metadata\" : [ 1, 2 ]}"}]}'This create-event-source-mapping command creates a new Amazon SQS event source mapping for functionmy-function with the specifiedFilterCriteria.
To add these filter criteria to an existing event source mapping, run the following command.
aws lambda update-event-source-mapping \ --uuid"a1b2c3d4-5678-90ab-cdef-11111EXAMPLE" \ --filter-criteria '{"Filters": [{"Pattern": "{ \"Metadata\" : [ 1, 2 ]}"}]}'Note that to update an event source mapping, you need its UUID. You can get the UUID from a list-event-source-mappings call. Lambda also returns the UUID in the create-event-source-mapping CLI response.
To remove filter criteria from an event source, you can run the following update-event-source-mapping command with an emptyFilterCriteria object.
aws lambda update-event-source-mapping \ --uuid"a1b2c3d4-5678-90ab-cdef-11111EXAMPLE" \ --filter-criteria "{}"For more examples of creating event filters using the AWS CLI, seeUsing filters with different AWS services.
Attaching filter criteria to an event source mapping (AWS SAM)
Suppose you want to configure an event source in AWS SAM to use the following filter criteria:
{ "Filters": [{ "Pattern": "{ \"Metadata\" : [ 1, 2 ] }" } ]}To add these filter criteria to your event source mapping, insert the following snippet into the YAML template for your event source.
FilterCriteria: Filters: - Pattern: '{"Metadata": [1, 2]}'For more information on creating and configuring an AWS SAM template for an event source mapping, see the EventSource section of the AWS SAM Developer Guide. Fore more examples of creating event filters using AWS SAM templates, seeUsing filters with different AWS services.
Encryption of filter criteria
By default, Lambda doesn't encrypt your filter criteria object. For use cases where you may include sensitive information in your filter criteria object, you can use your ownKMS key to encrypt it.
After you encrypt your filter criteria object, you can view its plaintext version using aGetEventSourceMapping API call. You must havekms:Decrypt permissions to be able to successfully view the filter criteria in plaintext.
If your filter criteria object is encrypted, Lambda redacts the value of theFilterCriteria field in the response ofListEventSourceMappings calls. Instead, this field displays asnull. To see the true value ofFilterCriteria, use theGetEventSourceMapping API.
To view the decrypted value ofFilterCriteria in the console, ensure that your IAM role contains permissions forGetEventSourceMapping.
You can specify your own KMS key via the console, API/CLI, or AWS CloudFormation.
To encrypt filter criteria with a customer-owned KMS key (console)
Open theFunctions page of the Lambda console.
ChooseAdd trigger. If you already have an existing trigger, choose theConfiguration tab, and then choose Triggers. Select the existing trigger, and chooseEdit.
Select the checkbox next toEncrypt with customer managed KMS key.
ForChoose a customer managed KMS encryption key, select an existing enabled key or create a new key. Depending on the operation, you need some or all of the following permissions:
kms:DescribeKey,kms:GenerateDataKey, andkms:Decrypt. Use the KMS key policy to grant these permissions.
If you use your own KMS key, the following API operations must be permitted in thekey policy:
kms:Decrypt– Must be granted to the regional Lambda service principal (lambda.). This allows Lambda to decrypt data with this KMS key.AWS_region.amazonaws.comTo prevent a cross-service confused deputy problem, the key policy uses the
aws:SourceArnglobal condition key. The correct value of theaws:SourceArnkey is the ARN of your event source mapping resource, so you can add this to your policy only after you know its ARN. Lambda also forwards theaws:lambda:FunctionArnandaws:lambda:EventSourceArnkeys and their respective values in theencryption context when making a decryption request to KMS. These values must match the specified conditions in the key policy for the decryption request to succeed. You don't need to include EventSourceArn for Self-managed Kafka event sources since they don't have an EventSourceArn.
kms:Decrypt– Must also be granted to the principal that intends to use the key to view the plaintext filter criteria inGetEventSourceMapping orDeleteEventSourceMapping API calls.kms:DescribeKey– Provides the customer managed key details to allow the specified principal to use the key.kms:GenerateDataKey– Provides permissions for Lambda to generate a data key to encrypt the filter criteria, on behalf of the specified principal (envelope encryption).
You can use AWS CloudTrail to track AWS KMS requests that Lambda makes on your behalf. For sample CloudTrail events, seeMonitoring your encryption keys for Lambda.
We also recommend using thekms:ViaService condition key to limit the use of the KMS key to requests from Lambda only. The value of this key is the regional Lambda service principal (lambda.). The following is a sample key policy that grants all the relevant permissions:AWS_region.amazonaws.com
To use your own KMS key to encrypt filter criteria, you can also use the followingCreateEventSourceMapping AWS CLI command. Specify the KMS key ARN with the--kms-key-arn flag.
aws lambda create-event-source-mapping --function-name my-function \ --maximum-batching-window-in-seconds 60 \ --event-source-arnarn:aws:sqs:us-east-1:123456789012:my-queue \ --filter-criteria "{\"filters\": [{\"pattern\": \"{\"a\": [\"1\", \"2\"]}\" }]}" \ --kms-key-arnarn:aws:kms:us-east-1:123456789012:key/055efbb4-xmpl-4336-ba9c-538c7d31f599If you have an existing event source mapping, use theUpdateEventSourceMapping AWS CLI command instead. Specify the KMS key ARN with the--kms-key-arn flag.
aws lambda update-event-source-mapping --function-name my-function \ --maximum-batching-window-in-seconds 60 \ --event-source-arnarn:aws:sqs:us-east-1:123456789012:my-queue \ --filter-criteria "{\"filters\": [{\"pattern\": \"{\"a\": [\"1\", \"2\"]}\" }]}" \ --kms-key-arnarn:aws:kms:us-east-1:123456789012:key/055efbb4-xmpl-4336-ba9c-538c7d31f599This operation overwrites any KMS key that was previously specified. If you specify the--kms-key-arn flag along with an empty argument, Lambda stops using your KMS key to encrypt filter criteria. Instead, Lambda defaults back to using an Amazon-owned key.
To specify your own KMS key in a AWS CloudFormation template, use theKMSKeyArn property of theAWS::Lambda::EventSourceMapping resource type. For example, you can insert the following snippet into the YAML template for your event source.
MyEventSourceMapping: Type: AWS::Lambda::EventSourceMapping Properties: ... FilterCriteria: Filters: - Pattern: '{"a": [1, 2]}' KMSKeyArn: "arn:aws:kms:us-east-1:123456789012:key/055efbb4-xmpl-4336-ba9c-538c7d31f599" ...To be able to view your encrypted filter criteria in plaintext in aGetEventSourceMapping orDeleteEventSourceMapping API call, you must havekms:Decrypt permissions.
Starting August 6, 2024, theFilterCriteria field no longer shows up in AWS CloudTrail logs fromCreateEventSourceMapping,UpdateEventSourceMapping, andDeleteEventSourceMapping API calls if your function doesn't use event filtering. If your function does use event filtering, theFilterCriteria field shows up as empty ({}). You can still view your filter criteria in plaintext in the response ofGetEventSourceMapping API calls if you havekms:Decrypt permissions for the correct KMS key.
Using filters with different AWS services
Different types of event source use different key values for their data fields. To filter on data properties, make sure that you use the correct key in your filter’s pattern. The following table gives the filtering keys for each supported AWS service.
| AWS service | Filtering key |
|---|---|
| DynamoDB | dynamodb |
| Kinesis | data |
| Amazon MQ | data |
| Amazon MSK | value |
| Self-managed Apache Kafka | value |
| Amazon SQS | body |
The following sections give examples of filter patterns for different types of event sources. They also provide definitions of supported incoming data formats and filter pattern body formats for each supported service.
