I want to troubleshoot the following error when I create an Amazon Simple Storage Service (Amazon S3) Event Notification: "Unable to validate the following destination configurations when creating an Amazon S3 Event Notification"
Short description
You get this error when any of the following conditions aren't met:
- When you create an Amazon S3 Event Notification, the destination that you specify must have a resource-based policy. This policy must allow S3 to publish notifications to the destination.
- The Region for the destination must be same as that of the S3 bucket.
- If the destination is encrypted with an AWS Key Management Service (AWS KMS) key, the key policy must allow access to S3.
When you update an event notification configuration, Amazon S3 verifies that all the event destinations exist. S3 also checks that the event destinations have the required resource-based policies to allow S3 to do the following depending on the event destination type:
- Publish events
- Send messages
- Invoke functions
S3 performs these checks on new event destinations as well as any existing event destinations that aren't being removed during the update. When any of these checks fail, you might get the error "Unable to validate the following destination configurations".
Resolution
Be sure that all the event destinations exist
You get this error when an event destination that's on the bucket doesn't exist.
If you configured an existing event notification to send events to a destination that no longer exists, you must remove these events. You must do so before updating the event notification configuration. You might find that the notifications currently exist on the bucket and the destination no longer exists. This might be because the destination existed when the event notification configuration was last updated, but was deleted after.
It's a best practice to delete all events with non-existent destinations using the same PutBucketNotificationConfiguration API. You can run this operation using the Amazon S3 console, AWS Command Line Interface (AWS CLI), or AWS SDK.
Confirm that the event destinations have valid resource-based policies
Be sure to grant the necessary permissions to Amazon S3 to call the relevant API to publish messages to the following:
- An Amazon Simple Notification Service (Amazon SNS) topic
- An Amazon Simple Queue Service (Amazon SQS) queue
- An AWS Lambda function
If you're adding a new event to the bucket, make sure that the new event has the valid resource-based policy:
For more information on permissions related to an Amazon SNS topic or Amazon SQS queue, see Granting permissions to publish messages to an SNS topic or an SQS queue.
For more information on permissions related to AWS Lambda function, see Step 7. Configure Amazon S3 to publish events.
For information on updating the Lambda function to make sure it has valid policies, see Tutorial: Using an Amazon S3 trigger to invoke a Lambda function.
Note: If you're using the S3 console to turn on Event Notifications, S3 automatically attempts to update the resource-based policy for you before adding the event.
If you have the valid resource-based policy for the event destination and are still getting the same error, then check all the existing event destinations. Make sure that they have the valid resource-based policies as well. You get the error if any resource-based policies for the event destinations were modified after the event notification configuration was last updated on the bucket. The error persists until all the permissions are valid or the events with non-valid destinations are removed.
Make sure that the AWS KMS Key policy is valid for KMS-encrypted topics and queues
If you activate AWS KMS encryption for an SQS or SNS destination, update the customer managed key policy to allow S3 to use the key. For more information, see AWS KMS key policy.
AWS managed keys, such as aws/sns and aws/sqs keys aren't supported. If you're using one of these keys on your event destination, you must update the destination to use a customer managed key. Then, update the key policy.
Related information
IAM policy for a destination SNS topic
IAM policy for a destination SQS queue