Teardown

Progress checklist

File system config removed from function; function deleted
Access points deleted
Mount targets deleted
File system deleted
IAM roles deleted
Compute security group deleted
Mount target security group deleted
S3 bucket emptied and deleted (optional)

Overview

This page tears down everything created in the Lambda walkthrough, in dependency order: function → access points → mount targets → file system → IAM → security groups → bucket (optional).

Set environment variables. Required

Re-run these in your current shell. Replace values to match what you created:

export AWS_REGION=ap-southeast-6
export BUCKET=my-s3-files-bucket        # ← replace with your real bucket name
export BUCKET_ARN=arn:aws:s3:::${BUCKET}
export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export VPC_ID=vpc-0123456789abcdef0     # ← replace with your VPC ID

export FS_ID=$(aws s3files list-file-systems \
  --region $AWS_REGION \
  --bucket $BUCKET_ARN \
  --query 'fileSystems[0].fileSystemId' \
  --output text)
echo "FS_ID=$FS_ID  Account: $ACCOUNT_ID"

Remove the file system configuration from the function and delete it. Required

Remove the file system config first, then delete the function:

aws lambda update-function-configuration \
  --function-name s3files-lambda-demo \
  --file-system-configs [] \
  --region $AWS_REGION

Wait for the update to complete:

aws lambda wait function-updated \
  --function-name s3files-lambda-demo \
  --region $AWS_REGION

Delete the function:

aws lambda delete-function \
  --function-name s3files-lambda-demo \
  --region $AWS_REGION
echo "Lambda function deleted"

Delete all access points. Required

AP_IDS=$(aws s3files list-access-points \
  --region $AWS_REGION \
  --file-system-id $FS_ID \
  --query 'accessPoints[*].accessPointId' \
  --output text)
echo "Access points: $AP_IDS"

for AP_ID in $AP_IDS; do
  aws s3files delete-access-point \
    --region $AWS_REGION \
    --access-point-id $AP_ID
  echo "Deleted access point $AP_ID"
done

Delete all mount targets. Required

The file system cannot be deleted while mount targets exist.

MT_IDS=$(aws s3files list-mount-targets \
  --region $AWS_REGION \
  --file-system-id $FS_ID \
  --query 'mountTargets[*].mountTargetId' \
  --output text)
echo "Mount targets: $MT_IDS"

for MT_ID in $MT_IDS; do
  aws s3files delete-mount-target \
    --region $AWS_REGION \
    --mount-target-id $MT_ID
  echo "Deleted mount target $MT_ID"
done

Wait until the list is empty:

until [ "$(aws s3files list-mount-targets \
  --region $AWS_REGION \
  --file-system-id $FS_ID \
  --query 'length(mountTargets)' \
  --output text)" = "0" ]; do
  echo "Waiting for mount targets to delete…"
  sleep 10
done
echo "All mount targets deleted"

Delete the file system. Required

aws s3files delete-file-system \
  --region $AWS_REGION \
  --file-system-id $FS_ID
echo "File system deletion initiated"

Confirm deletion:

aws s3files list-file-systems \
  --region $AWS_REGION \
  --bucket $BUCKET_ARN \
  --query 'fileSystems[*].{id:fileSystemId,status:status}' \
  --output table

Delete IAM roles. Required

Detach managed policies and delete the Lambda execution role:

aws iam detach-role-policy \
  --role-name s3files-compute-role-lambda \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3FilesClientFullAccess

aws iam detach-role-policy \
  --role-name s3files-compute-role-lambda \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

aws iam delete-role-policy \
  --role-name s3files-compute-role-lambda \
  --policy-name S3FilesComputeS3ReadPolicy

aws iam delete-role --role-name s3files-compute-role-lambda
echo "Lambda execution role deleted"

Delete the file system role:

aws iam delete-role-policy \
  --role-name s3files-filesystem-role \
  --policy-name S3FilesFileSystemPolicy

aws iam delete-role --role-name s3files-filesystem-role
echo "File system role deleted"

Delete the compute security group. Required

The Lambda compute SG must be deleted before the mount target SG:

COMPUTE_SG_ID=$(aws ec2 describe-security-groups \
  --filters "Name=group-name,Values=s3files-lambda-compute-sg" \
            "Name=vpc-id,Values=$VPC_ID" \
  --region $AWS_REGION \
  --query 'SecurityGroups[0].GroupId' \
  --output text)
echo "COMPUTE_SG_ID=$COMPUTE_SG_ID"

aws ec2 delete-security-group \
  --group-id $COMPUTE_SG_ID \
  --region $AWS_REGION
echo "Lambda compute SG deleted"

Delete the mount target security group. Required

MT_SG_ID=$(aws ec2 describe-security-groups \
  --filters "Name=group-name,Values=s3files-mount-target-sg" \
            "Name=vpc-id,Values=$VPC_ID" \
  --region $AWS_REGION \
  --query 'SecurityGroups[0].GroupId' \
  --output text)
echo "MT_SG_ID=$MT_SG_ID"

aws ec2 delete-security-group \
  --group-id $MT_SG_ID \
  --region $AWS_REGION
echo "Mount target SG deleted"

Empty and delete the S3 bucket (optional).

Delete all versioned objects:

aws s3api list-object-versions \
  --bucket $BUCKET \
  --output json \
  --query '{Objects: Versions[].{Key:Key,VersionId:VersionId}}' \
  | jq -c '.Objects // [] | _nwise(1000) | {Objects: ., Quiet: true}' \
  | while read batch; do
      aws s3api delete-objects --bucket $BUCKET --delete "$batch"
    done

Delete all delete markers:

aws s3api list-object-versions \
  --bucket $BUCKET \
  --output json \
  --query '{Objects: DeleteMarkers[].{Key:Key,VersionId:VersionId}}' \
  | jq -c '.Objects // [] | _nwise(1000) | {Objects: ., Quiet: true}' \
  | while read batch; do
      aws s3api delete-objects --bucket $BUCKET --delete "$batch"
    done

Delete any incomplete multipart uploads:

aws s3api list-multipart-uploads --bucket $BUCKET \
  --query 'Uploads[*].{Key:Key,UploadId:UploadId}' \
  --output json \
  | jq -r '.[] | "\(.Key) \(.UploadId)"' \
  | while read key upload_id; do
      aws s3api abort-multipart-upload \
        --bucket $BUCKET --key "$key" --upload-id "$upload_id"
    done

Delete the bucket:

aws s3api delete-bucket --bucket $BUCKET --region $AWS_REGION
echo "Bucket $BUCKET deleted"

Done

All Lambda walkthrough resources have been removed.